Fake Security Alert

Dell ?
December 30, 2008 at 21:54:07
Specs: Windows XP, ?
Hey, similar to what Jaynaz posted earlier, I'm also receiving a fake Security Alert trying to get me to download security programs:

"Name: Win32.Zafi.B
Risk Level: High
Description: Zafi.B is a worm trojan program that records keystrokes and takes screen shots of the computer, stealing personal financial information."

I downloaded the latest Malware and Hijack This programs (from links posted in Jaynaz's responses)and have the logs ready to post. If someone could help me out by taking a look at them that'd be great. Thanks in advance.

See More: Fake Security Alert

Report •

December 31, 2008 at 15:05:12
Please post you Malwarebytes and Hijack This logs.

Report •

January 7, 2009 at 03:18:01
Ugh. I had this last night. As you realised, it's not a genuine Windows alert, but an attempt to con you into downloading malware. So first, don't download the stuiff it's telling you to.

It took me a fair bit of searching to find the solution for this, but mercifully it's really quite simple to remove manually (interestingly enough, neither Ad-Aware or MB Anti-Malware picked up the problem when scanning).

Removal (For XP, the directories may be different for other OS's, so you might have to do some digging if you're not on XP)

1. Go to C:\Documents and Settings\<YOUR USERNAME>\Application Data\Google

2. In there you should see two files, one an .exe and the other a .dll. The actual filenames are randomly generated I believe
(mine were called ocboo1892823.exe and sysspc.dll, for example). Depending on whether you have any genuine Google apps such as Google Earth or Google Toolbar installed you might also have a couple of sub-directories in there as well, but you can ignore those. We're concentrating on those two rogue .exe and .dll files.

3. Since the process is currently runnning on your machine, Windows probably won't let you delete the files, so you need to write down the names (you'll need this in a minute as well) reboot in Safe Mode (or Safe Mode Command Prompt if you're paranoid like me ;), navigate to the aforementioned folder and delete those two files, the .exe and the .dll. Quit safe mode and reboot into normal Windows again.

4. Go to Start> Run> regedit to open the Registry Editor. In the Registry Editor, go to Edit > Find and search for the filename of the malicious .exe file you just deleted (this is why you just wrote them down). You can safely delete any registry key that refers to it. Don't forget to press F3 to keep searching after you delete each instance, until you get the message "Finished searching through the registry". Repeat for the other file (the .dll). Once this is done, you should be all clear, but it's still worth rebooting and running full anti-virus and anti-malware scans on your machine.

Hope this helps.

Report •

January 12, 2009 at 13:59:34
Hi, menendez -
I canNOT thank you enough for your how-to fix advice regarding that annoying
"Win32.Zafi.B" hoax. I was on the verge of freaking out before I came across this site...Such a great resource! Thanks again! :)

Report •

Related Solutions

January 13, 2009 at 04:22:33
Thanks menendez. Dealing with a friend's laptop today, I found both this and a second random-looking named executable and supporting files in c:\Documents and Settings\All Users\Application Data\NNNNNN where NNNNNN was a 9 digit number starting 115 (I guess probably random, but I can't remember the number anyway). Both had registry entries in HKLM\Software\Microsoft\Windows\CurrentVersion\Run but I suspect that they get rewritten on shutdown so its no use removing them until after you have deleted the .exes in safe mode and rebooted.

Report •

January 31, 2009 at 14:00:47
I just cant get into safemod... I press F8, then a blue window apear, I select the harddrive ( from 3 option, one is something random that I cant remember and the other one is CD-ROM )... then windows launch normaly. ?

So I tried MSCONFIG in the executable but the $%*$* virus restart my computer every time I clic on boot.ini.

I use webroot spysweeper/antivirus (up to date) plus windows firewall plus a router and this THING got through all that. Didnt download anything, I dont have sharing program such as limewire it poped when I was trying to watch alien versus predator requiem on the net.

Im really desesperate.

Report •

February 1, 2009 at 05:49:30
Thanks very much for this advice.
I actually managed to delete the files without going in to Safe Mode.
Kill the process of the same name as the exe in the Task Manager.
Neither McAfee nor Norton Disk Doctor removed this frikkin adware.

Report •

February 5, 2009 at 12:41:02
Thanks for this..helped a lot. One question after removing the files in safe mode and rebooting I did not find either entries in the registry? Did I miss something or am I being paranoid

Report •

February 17, 2009 at 10:44:11
I have the same problem and either malwarebyte's Anti Malware or a-squared resolved it, i still have that security center alert : Win32.Zafi.B.
Like daedrick, when i try to run : msconfig it restart my computer.
I just don't know what to do now.

Report •

Ask Question