malware affecting IE7 on XP

[Guest John]

I seem to have some kind of malware affecting IE7 & Firefox on my PC w/ XP.

Does anyone recopgnize this? I have Avira AntiVir, been updating it every

day and scans don't detect anything.

 

I am not able to browse to certain sites like avira.com, avg.com, and other

anti-virus sites. With IE7 I get redirected to a Google page and w/ Firefox

a "page load error" screen saying that the browser "failed to connect".

 

If I type www.avira.com into IE7 I am redirected to a Google search page at

this URL (I don't advise clicking it):

 

http://www.google.com/search?q=www.avira.c...ex=&startPage=1

 

If I click the link to avira.com from that page, it takes me to this URL

(again, I don't advise clicking it):

 

http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

 

Then a page saying that I have security problems pops up, and prompts me to

download security updates, and IE puts up a messsage bar saying that it has

blocked the site from downloading files, as you can see in the screen

capture here (feel free to click this one):

 

http://productivitymuse.com/screenshot_090117.jpg

 

The URL of the page in the screen capture is (don't click it):

 

http://scan.antispyware-pro-scanner.com/243/3/

 

Does anyone know what could be causing my browser to redirect like this and

how to correct it?

 

An adjunctive problem is that Spybot S&D won't start. When I click it, I get

an hourglass for a few seconds and then nothing happens. When I go into Task

Manager it does not show Spybot running.

 

All of this started happening late Wenesday night (possibly after midnight)

after the Windows Security Center popped up and told me that I had the

zafi.b worm. A scan w/ AntiVir made detected and deleted some files and the

zafi.b warnings went away, but obviously I still have something. I installed

AVG as well, and it didn't find anything and wouldn't connect to the update

server.

 

Thanks for any advice.

 

Here's some info on the registrant of the site that is trying to download

files to my computer. Notice that the domain was just published on 1/15/09.

The site is also self-hosted, which means that Mr. Mott from Detroit

Michigan 48204 (not Mississippi) can have anything he wants on his server...

 

Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

Contact: +1.8662097142

 

Domain Name: ANTISPYWARE-PRO-SCANNER.COM

 

Registrant:

N/A

Deron Mott (deronmott@ymail.com)

Fremont St. 91 21

DETROIT

Mississippi,48204

US

Tel. +131.433437

 

Creation Date: 15-Jan-2009

Expiration Date: 15-Jan-2010

 

Domain servers in listed order:

ns4.alvobs.com

ns3.alvobs.com

ns2.alvobs.com

ns1.alvobs.com

[Guest David H. Lipman]

From: "John" <noreply@noreply.com>

 

| I seem to have some kind of malware affecting IE7 & Firefox on my PC w/ XP.

| Does anyone recopgnize this? I have Avira AntiVir, been updating it every

| day and scans don't detect anything.

 

| I am not able to browse to certain sites like avira.com, avg.com, and other

| anti-virus sites. With IE7 I get redirected to a Google page and w/ Firefox

| a "page load error" screen saying that the browser "failed to connect".

 

| If I type www.avira.com into IE7 I am redirected to a Google search page at

| this URL (I don't advise clicking it):

 

| http://www.google.com/search?q=www.avira.c...UTF-8&oe=UTF-8&

| startIndex=&startPage=1

 

| If I click the link to avira.com from that page, it takes me to this URL

| (again, I don't advise clicking it):

 

| http://go.google.com/?u=00a3f63266b79fba14....822.19.77&bid=

| 0.027225&aid=61&said=v300&mppc=234

 

| Then a page saying that I have security problems pops up, and prompts me to

| download security updates, and IE puts up a messsage bar saying that it has

| blocked the site from downloading files, as you can see in the screen

| capture here (feel free to click this one):

 

| http://productivitymuse.com/screenshot_090117.jpg

 

| The URL of the page in the screen capture is (don't click it):

 

| http://scan.antispyware-pro-scanner.com/243/3/

 

| Does anyone know what could be causing my browser to redirect like this and

| how to correct it?

 

| An adjunctive problem is that Spybot S&D won't start. When I click it, I get

| an hourglass for a few seconds and then nothing happens. When I go into Task

| Manager it does not show Spybot running.

 

| All of this started happening late Wenesday night (possibly after midnight)

| after the Windows Security Center popped up and told me that I had the

| zafi.b worm. A scan w/ AntiVir made detected and deleted some files and the

| zafi.b warnings went away, but obviously I still have something. I installed

| AVG as well, and it didn't find anything and wouldn't connect to the update

| server.

 

| Thanks for any advice.

 

| Here's some info on the registrant of the site that is trying to download

| files to my computer. Notice that the domain was just published on 1/15/09.

| The site is also self-hosted, which means that Mr. Mott from Detroit

| Michigan 48204 (not Mississippi) can have anything he wants on his server...

 

| Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

| Contact: +1.8662097142

 

| Domain Name: ANTISPYWARE-PRO-SCANNER.COM

 

| Registrant:

| N/A

| Deron Mott (deronmott@ymail.com)

| Fremont St. 91 21

| DETROIT

| Mississippi,48204

| US

| Tel. +131.433437

 

| Creation Date: 15-Jan-2009

| Expiration Date: 15-Jan-2010

 

| Domain servers in listed order:

| ns4.alvobs.com

| ns3.alvobs.com

| ns2.alvobs.com

| ns1.alvobs.com

 

 

 

I suggest you use the following pair...

 

Malwarebytes Anti-Malware

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

 

SuperAntiSpyware

http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

 

 

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest John]

I see that Malke replied to a similar post and will try those steps...

 

But maybe Mr. Deron Mott should be investigated because I'm getting

redirected to his web site, which is trying to d/l files to my computer.

Seems like he may be the source of the problem.

 

 

"John" <noreply@noreply.com> wrote in message

news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

>I seem to have some kind of malware affecting IE7 & Firefox on my PC w/ XP.

>Does anyone recopgnize this? I have Avira AntiVir, been updating it every

>day and scans don't detect anything.

>

> I am not able to browse to certain sites like avira.com, avg.com, and

> other anti-virus sites. With IE7 I get redirected to a Google page and w/

> Firefox a "page load error" screen saying that the browser "failed to

> connect".

>

> If I type www.avira.com into IE7 I am redirected to a Google search page

> at this URL (I don't advise clicking it):

>

> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>

> If I click the link to avira.com from that page, it takes me to this URL

> (again, I don't advise clicking it):

>

> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>

> Then a page saying that I have security problems pops up, and prompts me

> to download security updates, and IE puts up a messsage bar saying that it

> has blocked the site from downloading files, as you can see in the screen

> capture here (feel free to click this one):

>

> http://productivitymuse.com/screenshot_090117.jpg

>

> The URL of the page in the screen capture is (don't click it):

>

> http://scan.antispyware-pro-scanner.com/243/3/

>

> Does anyone know what could be causing my browser to redirect like this

> and how to correct it?

>

> An adjunctive problem is that Spybot S&D won't start. When I click it, I

> get an hourglass for a few seconds and then nothing happens. When I go

> into Task Manager it does not show Spybot running.

>

> All of this started happening late Wenesday night (possibly after

> midnight) after the Windows Security Center popped up and told me that I

> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

> files and the zafi.b warnings went away, but obviously I still have

> something. I installed AVG as well, and it didn't find anything and

> wouldn't connect to the update server.

>

> Thanks for any advice.

>

> Here's some info on the registrant of the site that is trying to download

> files to my computer. Notice that the domain was just published on

> 1/15/09. The site is also self-hosted, which means that Mr. Mott from

> Detroit Michigan 48204 (not Mississippi) can have anything he wants on his

> server...

>

> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

> Contact: +1.8662097142

>

> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>

> Registrant:

> N/A

> Deron Mott (deronmott@ymail.com)

> Fremont St. 91 21

> DETROIT

> Mississippi,48204

> US

> Tel. +131.433437

>

> Creation Date: 15-Jan-2009

> Expiration Date: 15-Jan-2010

>

> Domain servers in listed order:

> ns4.alvobs.com

> ns3.alvobs.com

> ns2.alvobs.com

> ns1.alvobs.com

>

>

>

>

>

> </span>

[Guest John]

Thanks David. Unfortunately my browser won't connect to either of those

sites. I'll have to see if I can get a friend to d/l them and put them on a

disk for me.

 

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:Oth9ZlNeJHA.3776@TK2MSFTNGP04.phx.gbl...

<span style="color:blue">

> I suggest you use the following pair...

>

> Malwarebytes Anti-Malware

> http://www.malwarebytes.org/mbam/program/mbam-setup.exe

>

> SuperAntiSpyware

> http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

>

>

>

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

> </span>

[Guest ur85q]

Hi -

 

I am having terrible problems with this. I tried to download what you

suggested (Malwarebytes Anti-Malware and SuperAntiSpyware), but my

laptop wouldn't allow it (presumably under the direction of the virus).

I then went to another laptop and successfully downloaded both of them

to a portable usb drive which I then plugged into the infected one ...

but the infected laptop won't let either of them execute.

 

Any suggestions?

 

Clinton

 

 

--

ur85q

------------------------------------------------------------------------

ur85q's Profile: http://forums.techarena.in/members/ur85q.htm

View this thread: http://forums.techarena.in/security-virus/1105254.htm

 

http://forums.techarena.in

[Guest David H. Lipman]

From: "ur85q" <ur85q.3m6ezb@DoNotSpam.com>

 

| Hi -

 

| I am having terrible problems with this. I tried to download what you suggested

| (Malwarebytes Anti-Malware and SuperAntiSpyware), but my laptop wouldn't allow it

| (presumably under the direction of the virus). I then went to another laptop and

| successfully downloaded both of them to a portable usb drive which I then plugged into

| the infected one ... but the infected laptop won't let either of them execute.

 

| Any suggestions?

 

Rename the installers.

 

Additionally you can download the MBAM signatures the same way...

 

http://www.gt500.org/malwarebytes/database.jsp

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest David H. Lipman]

From: "John" <noreply@noreply.com>

 

| I see that Malke replied to a similar post and will try those steps...

 

| But maybe Mr. Deron Mott should be investigated because I'm getting

| redirected to his web site, which is trying to d/l files to my computer.

| Seems like he may be the source of the problem.

 

LOL -- Fake info !

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Richard Urban]

This sounds surprisingly like the worm (called "Downadup" or "Conficker")

that has infected 9 million computers to date.

http://www.msnbc.msn.com/id/28708241/

 

If so, shame for not installing your Window updates in a timely fashion.

There was a patch issued to prevent this in October.

 

The latest version of the Microsoft Malicious Removal Tool, issued on the

2nd Tuesday of this month, will clean this out. You DID get January updates

right? If so, search for mrt.exe and run the program from your computer. It

will remove this and you should be golden.

 

 

--

 

Richard Urban

Microsoft MVP

Windows Desktop Experience

 

 

"John" <noreply@noreply.com> wrote in message

news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

> every day and scans don't detect anything.

>

> I am not able to browse to certain sites like avira.com, avg.com, and

> other anti-virus sites. With IE7 I get redirected to a Google page and w/

> Firefox a "page load error" screen saying that the browser "failed to

> connect".

>

> If I type www.avira.com into IE7 I am redirected to a Google search page

> at this URL (I don't advise clicking it):

>

> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>

> If I click the link to avira.com from that page, it takes me to this URL

> (again, I don't advise clicking it):

>

> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>

> Then a page saying that I have security problems pops up, and prompts me

> to download security updates, and IE puts up a messsage bar saying that it

> has blocked the site from downloading files, as you can see in the screen

> capture here (feel free to click this one):

>

> http://productivitymuse.com/screenshot_090117.jpg

>

> The URL of the page in the screen capture is (don't click it):

>

> http://scan.antispyware-pro-scanner.com/243/3/

>

> Does anyone know what could be causing my browser to redirect like this

> and how to correct it?

>

> An adjunctive problem is that Spybot S&D won't start. When I click it, I

> get an hourglass for a few seconds and then nothing happens. When I go

> into Task Manager it does not show Spybot running.

>

> All of this started happening late Wenesday night (possibly after

> midnight) after the Windows Security Center popped up and told me that I

> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

> files and the zafi.b warnings went away, but obviously I still have

> something. I installed AVG as well, and it didn't find anything and

> wouldn't connect to the update server.

>

> Thanks for any advice.

>

> Here's some info on the registrant of the site that is trying to download

> files to my computer. Notice that the domain was just published on

> 1/15/09. The site is also self-hosted, which means that Mr. Mott from

> Detroit Michigan 48204 (not Mississippi) can have anything he wants on his

> server...

>

> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

> Contact: +1.8662097142

>

> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>

> Registrant:

> N/A

> Deron Mott (deronmott@ymail.com)

> Fremont St. 91 21

> DETROIT

> Mississippi,48204

> US

> Tel. +131.433437

>

> Creation Date: 15-Jan-2009

> Expiration Date: 15-Jan-2010

>

> Domain servers in listed order:

> ns4.alvobs.com

> ns3.alvobs.com

> ns2.alvobs.com

> ns1.alvobs.com

>

>

>

>

>

> </span>

[Guest ur85q]

Hi again - thanks for that. Okay, so both programs are now installed

(hooray!) but the installed software won't run if I double click on the

new icons. Is there a clever way to get them going?

 

Thanks so much for your help. It's not until you get infected like I

have, that you realize how important it is to keep these nasties under

control.

 

Clinton

 

 

--

ur85q

------------------------------------------------------------------------

ur85q's Profile: http://forums.techarena.in/members/ur85q.htm

View this thread: http://forums.techarena.in/security-virus/1105254.htm

 

http://forums.techarena.in

[Guest David H. Lipman]

From: "ur85q" <ur85q.3m6q3b@DoNotSpam.com>

 

| Hi again - thanks for that. Okay, so both programs are now installed (hooray!) but

| the installed software won't run if I double click on the new icons. Is there a clever

| way to get them going?

 

| Thanks so much for your help. It's not until you get infected like I have, that you

| realize how important it is to keep these nasties under control.

 

| Clinton -- ur85q

 

 

Yes, instead of clicking on the link file (LNK), go to the folder, rename the EXE file and

then manually run it.

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest The Real Truth MVP]

Use my Remove-it software, my site is not blocked by that malware, it will

remove that malware from your system. Choose yes for all options when

prompted. Download it here http://pcbutts1.com/downloads/tools/tools.htm

 

 

 

--

The Real Truth http://pcbutts1-therealtruth.blogspot.com/

 

 

 

 

"John" <noreply@noreply.com> wrote in message

news:OJZ1FEOeJHA.3968@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Thanks David. Unfortunately my browser won't connect to either of those

> sites. I'll have to see if I can get a friend to d/l them and put them on

> a disk for me.

>

>

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

> news:Oth9ZlNeJHA.3776@TK2MSFTNGP04.phx.gbl...

><span style="color:green">

>> I suggest you use the following pair...

>>

>> Malwarebytes Anti-Malware

>> http://www.malwarebytes.org/mbam/program/mbam-setup.exe

>>

>> SuperAntiSpyware

>> http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

>>

>>

>>

>>

>> --

>> Dave

>> http://www.claymania.com/removal-trojan-adware.html

>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>>

>></span>

>

> </span>

[Guest The Real Truth MVP]

Use my Remove-it software, my site is not blocked by that malware, it will

remove that malware from your system. Choose yes for all options when

prompted. Download it here http://pcbutts1.com/downloads/tools/tools.htm

 

 

--

The Real Truth http://pcbutts1-therealtruth.blogspot.com/

 

 

 

 

"ur85q" <ur85q.3m6ezb@DoNotSpam.com> wrote in message

news:ur85q.3m6ezb@DoNotSpam.com...<span style="color:blue">

>

> Hi -

>

> I am having terrible problems with this. I tried to download what you

> suggested (Malwarebytes Anti-Malware and SuperAntiSpyware), but my

> laptop wouldn't allow it (presumably under the direction of the virus).

> I then went to another laptop and successfully downloaded both of them

> to a portable usb drive which I then plugged into the infected one ...

> but the infected laptop won't let either of them execute.

>

> Any suggestions?

>

> Clinton

>

>

> --

> ur85q

> ------------------------------------------------------------------------

> ur85q's Profile: http://forums.techarena.in/members/ur85q.htm

> View this thread: http://forums.techarena.in/security-virus/1105254.htm

>

> http://forums.techarena.in

> </span>

[Guest John]

I actually d/l all updates as soon as prompted. I actually just got some

updates within the past week. I just changed it to d/l automatically at

2a.m. I'll look for that file. Currently, a complete search of my C drive

does not find it. Thanks.

 

 

"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> This sounds surprisingly like the worm (called "Downadup" or "Conficker")

> that has infected 9 million computers to date.

> http://www.msnbc.msn.com/id/28708241/

>

> If so, shame for not installing your Window updates in a timely fashion.

> There was a patch issued to prevent this in October.

>

> The latest version of the Microsoft Malicious Removal Tool, issued on the

> 2nd Tuesday of this month, will clean this out. You DID get January

> updates right? If so, search for mrt.exe and run the program from your

> computer. It will remove this and you should be golden.

>

>

> --

>

> Richard Urban

> Microsoft MVP

> Windows Desktop Experience

>

>

> "John" <noreply@noreply.com> wrote in message

> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

>> every day and scans don't detect anything.

>>

>> I am not able to browse to certain sites like avira.com, avg.com, and

>> other anti-virus sites. With IE7 I get redirected to a Google page and w/

>> Firefox a "page load error" screen saying that the browser "failed to

>> connect".

>>

>> If I type www.avira.com into IE7 I am redirected to a Google search page

>> at this URL (I don't advise clicking it):

>>

>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>>

>> If I click the link to avira.com from that page, it takes me to this URL

>> (again, I don't advise clicking it):

>>

>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>>

>> Then a page saying that I have security problems pops up, and prompts me

>> to download security updates, and IE puts up a messsage bar saying that

>> it has blocked the site from downloading files, as you can see in the

>> screen capture here (feel free to click this one):

>>

>> http://productivitymuse.com/screenshot_090117.jpg

>>

>> The URL of the page in the screen capture is (don't click it):

>>

>> http://scan.antispyware-pro-scanner.com/243/3/

>>

>> Does anyone know what could be causing my browser to redirect like this

>> and how to correct it?

>>

>> An adjunctive problem is that Spybot S&D won't start. When I click it, I

>> get an hourglass for a few seconds and then nothing happens. When I go

>> into Task Manager it does not show Spybot running.

>>

>> All of this started happening late Wenesday night (possibly after

>> midnight) after the Windows Security Center popped up and told me that I

>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

>> files and the zafi.b warnings went away, but obviously I still have

>> something. I installed AVG as well, and it didn't find anything and

>> wouldn't connect to the update server.

>>

>> Thanks for any advice.

>>

>> Here's some info on the registrant of the site that is trying to download

>> files to my computer. Notice that the domain was just published on

>> 1/15/09. The site is also self-hosted, which means that Mr. Mott from

>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on

>> his server...

>>

>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

>> Contact: +1.8662097142

>>

>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>>

>> Registrant:

>> N/A

>> Deron Mott (deronmott@ymail.com)

>> Fremont St. 91 21

>> DETROIT

>> Mississippi,48204

>> US

>> Tel. +131.433437

>>

>> Creation Date: 15-Jan-2009

>> Expiration Date: 15-Jan-2010

>>

>> Domain servers in listed order:

>> ns4.alvobs.com

>> ns3.alvobs.com

>> ns2.alvobs.com

>> ns1.alvobs.com

>>

>>

>>

>>

>>

>> </span></span>

[Guest John]

Hmmm...

 

Well I set Automatic Update to run at 2am and I guess I'm not supposed to be

prompted but I still don't have a file called mrt.exe. I also can't browse

to the Windows Update site.

 

"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> This sounds surprisingly like the worm (called "Downadup" or "Conficker")

> that has infected 9 million computers to date.

> http://www.msnbc.msn.com/id/28708241/

>

> If so, shame for not installing your Window updates in a timely fashion.

> There was a patch issued to prevent this in October.

>

> The latest version of the Microsoft Malicious Removal Tool, issued on the

> 2nd Tuesday of this month, will clean this out. You DID get January

> updates right? If so, search for mrt.exe and run the program from your

> computer. It will remove this and you should be golden.

>

>

> --

>

> Richard Urban

> Microsoft MVP

> Windows Desktop Experience

>

>

> "John" <noreply@noreply.com> wrote in message

> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

>> every day and scans don't detect anything.

>>

>> I am not able to browse to certain sites like avira.com, avg.com, and

>> other anti-virus sites. With IE7 I get redirected to a Google page and w/

>> Firefox a "page load error" screen saying that the browser "failed to

>> connect".

>>

>> If I type www.avira.com into IE7 I am redirected to a Google search page

>> at this URL (I don't advise clicking it):

>>

>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>>

>> If I click the link to avira.com from that page, it takes me to this URL

>> (again, I don't advise clicking it):

>>

>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>>

>> Then a page saying that I have security problems pops up, and prompts me

>> to download security updates, and IE puts up a messsage bar saying that

>> it has blocked the site from downloading files, as you can see in the

>> screen capture here (feel free to click this one):

>>

>> http://productivitymuse.com/screenshot_090117.jpg

>>

>> The URL of the page in the screen capture is (don't click it):

>>

>> http://scan.antispyware-pro-scanner.com/243/3/

>>

>> Does anyone know what could be causing my browser to redirect like this

>> and how to correct it?

>>

>> An adjunctive problem is that Spybot S&D won't start. When I click it, I

>> get an hourglass for a few seconds and then nothing happens. When I go

>> into Task Manager it does not show Spybot running.

>>

>> All of this started happening late Wenesday night (possibly after

>> midnight) after the Windows Security Center popped up and told me that I

>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

>> files and the zafi.b warnings went away, but obviously I still have

>> something. I installed AVG as well, and it didn't find anything and

>> wouldn't connect to the update server.

>>

>> Thanks for any advice.

>>

>> Here's some info on the registrant of the site that is trying to download

>> files to my computer. Notice that the domain was just published on

>> 1/15/09. The site is also self-hosted, which means that Mr. Mott from

>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on

>> his server...

>>

>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

>> Contact: +1.8662097142

>>

>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>>

>> Registrant:

>> N/A

>> Deron Mott (deronmott@ymail.com)

>> Fremont St. 91 21

>> DETROIT

>> Mississippi,48204

>> US

>> Tel. +131.433437

>>

>> Creation Date: 15-Jan-2009

>> Expiration Date: 15-Jan-2010

>>

>> Domain servers in listed order:

>> ns4.alvobs.com

>> ns3.alvobs.com

>> ns2.alvobs.com

>> ns1.alvobs.com

>>

>>

>>

>>

>>

>> </span></span>

[Guest Richard Urban]

Use another computer to download the MRT.exe from the Microsoft web site.

Then try to install it on your infected computer. Note that the infection

may also prevent this from being possible. If you get it successfully

installed, run the program and do a full scan. It may take a couple of

hours.

 

 

 

--

 

Richard Urban

Microsoft MVP

Windows Desktop Experience

 

 

"John" <noreply@noreply.com> wrote in message

news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> Hmmm...

>

> Well I set Automatic Update to run at 2am and I guess I'm not supposed to

> be prompted but I still don't have a file called mrt.exe. I also can't

> browse to the Windows Update site.

>

> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>> This sounds surprisingly like the worm (called "Downadup" or "Conficker")

>> that has infected 9 million computers to date.

>> http://www.msnbc.msn.com/id/28708241/

>>

>> If so, shame for not installing your Window updates in a timely fashion.

>> There was a patch issued to prevent this in October.

>>

>> The latest version of the Microsoft Malicious Removal Tool, issued on the

>> 2nd Tuesday of this month, will clean this out. You DID get January

>> updates right? If so, search for mrt.exe and run the program from your

>> computer. It will remove this and you should be golden.

>>

>>

>> --

>>

>> Richard Urban

>> Microsoft MVP

>> Windows Desktop Experience

>>

>>

>> "John" <noreply@noreply.com> wrote in message

>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...<span style="color:darkred">

>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

>>> every day and scans don't detect anything.

>>>

>>> I am not able to browse to certain sites like avira.com, avg.com, and

>>> other anti-virus sites. With IE7 I get redirected to a Google page and

>>> w/ Firefox a "page load error" screen saying that the browser "failed to

>>> connect".

>>>

>>> If I type www.avira.com into IE7 I am redirected to a Google search page

>>> at this URL (I don't advise clicking it):

>>>

>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>>>

>>> If I click the link to avira.com from that page, it takes me to this URL

>>> (again, I don't advise clicking it):

>>>

>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>>>

>>> Then a page saying that I have security problems pops up, and prompts me

>>> to download security updates, and IE puts up a messsage bar saying that

>>> it has blocked the site from downloading files, as you can see in the

>>> screen capture here (feel free to click this one):

>>>

>>> http://productivitymuse.com/screenshot_090117.jpg

>>>

>>> The URL of the page in the screen capture is (don't click it):

>>>

>>> http://scan.antispyware-pro-scanner.com/243/3/

>>>

>>> Does anyone know what could be causing my browser to redirect like this

>>> and how to correct it?

>>>

>>> An adjunctive problem is that Spybot S&D won't start. When I click it, I

>>> get an hourglass for a few seconds and then nothing happens. When I go

>>> into Task Manager it does not show Spybot running.

>>>

>>> All of this started happening late Wenesday night (possibly after

>>> midnight) after the Windows Security Center popped up and told me that I

>>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

>>> files and the zafi.b warnings went away, but obviously I still have

>>> something. I installed AVG as well, and it didn't find anything and

>>> wouldn't connect to the update server.

>>>

>>> Thanks for any advice.

>>>

>>> Here's some info on the registrant of the site that is trying to

>>> download files to my computer. Notice that the domain was just published

>>> on 1/15/09. The site is also self-hosted, which means that Mr. Mott from

>>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on

>>> his server...

>>>

>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

>>> Contact: +1.8662097142

>>>

>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>>>

>>> Registrant:

>>> N/A

>>> Deron Mott (deronmott@ymail.com)

>>> Fremont St. 91 21

>>> DETROIT

>>> Mississippi,48204

>>> US

>>> Tel. +131.433437

>>>

>>> Creation Date: 15-Jan-2009

>>> Expiration Date: 15-Jan-2010

>>>

>>> Domain servers in listed order:

>>> ns4.alvobs.com

>>> ns3.alvobs.com

>>> ns2.alvobs.com

>>> ns1.alvobs.com

>>>

>>>

>>>

>>>

>>>

>>></span></span>

>

> </span>

[Guest Richard Urban]

Here is the download link I forgot to post.

http://www.microsoft.com/downloads/details...&displaylang=en

 

--

 

Richard Urban

Microsoft MVP

Windows Desktop Experience

 

 

"John" <noreply@noreply.com> wrote in message

news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> Hmmm...

>

> Well I set Automatic Update to run at 2am and I guess I'm not supposed to

> be prompted but I still don't have a file called mrt.exe. I also can't

> browse to the Windows Update site.

>

> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>> This sounds surprisingly like the worm (called "Downadup" or "Conficker")

>> that has infected 9 million computers to date.

>> http://www.msnbc.msn.com/id/28708241/

>>

>> If so, shame for not installing your Window updates in a timely fashion.

>> There was a patch issued to prevent this in October.

>>

>> The latest version of the Microsoft Malicious Removal Tool, issued on the

>> 2nd Tuesday of this month, will clean this out. You DID get January

>> updates right? If so, search for mrt.exe and run the program from your

>> computer. It will remove this and you should be golden.

>>

>>

>> --

>>

>> Richard Urban

>> Microsoft MVP

>> Windows Desktop Experience

>>

>>

>> "John" <noreply@noreply.com> wrote in message

>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...<span style="color:darkred">

>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

>>> every day and scans don't detect anything.

>>>

>>> I am not able to browse to certain sites like avira.com, avg.com, and

>>> other anti-virus sites. With IE7 I get redirected to a Google page and

>>> w/ Firefox a "page load error" screen saying that the browser "failed to

>>> connect".

>>>

>>> If I type www.avira.com into IE7 I am redirected to a Google search page

>>> at this URL (I don't advise clicking it):

>>>

>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>>>

>>> If I click the link to avira.com from that page, it takes me to this URL

>>> (again, I don't advise clicking it):

>>>

>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>>>

>>> Then a page saying that I have security problems pops up, and prompts me

>>> to download security updates, and IE puts up a messsage bar saying that

>>> it has blocked the site from downloading files, as you can see in the

>>> screen capture here (feel free to click this one):

>>>

>>> http://productivitymuse.com/screenshot_090117.jpg

>>>

>>> The URL of the page in the screen capture is (don't click it):

>>>

>>> http://scan.antispyware-pro-scanner.com/243/3/

>>>

>>> Does anyone know what could be causing my browser to redirect like this

>>> and how to correct it?

>>>

>>> An adjunctive problem is that Spybot S&D won't start. When I click it, I

>>> get an hourglass for a few seconds and then nothing happens. When I go

>>> into Task Manager it does not show Spybot running.

>>>

>>> All of this started happening late Wenesday night (possibly after

>>> midnight) after the Windows Security Center popped up and told me that I

>>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

>>> files and the zafi.b warnings went away, but obviously I still have

>>> something. I installed AVG as well, and it didn't find anything and

>>> wouldn't connect to the update server.

>>>

>>> Thanks for any advice.

>>>

>>> Here's some info on the registrant of the site that is trying to

>>> download files to my computer. Notice that the domain was just published

>>> on 1/15/09. The site is also self-hosted, which means that Mr. Mott from

>>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on

>>> his server...

>>>

>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

>>> Contact: +1.8662097142

>>>

>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>>>

>>> Registrant:

>>> N/A

>>> Deron Mott (deronmott@ymail.com)

>>> Fremont St. 91 21

>>> DETROIT

>>> Mississippi,48204

>>> US

>>> Tel. +131.433437

>>>

>>> Creation Date: 15-Jan-2009

>>> Expiration Date: 15-Jan-2010

>>>

>>> Domain servers in listed order:

>>> ns4.alvobs.com

>>> ns3.alvobs.com

>>> ns2.alvobs.com

>>> ns1.alvobs.com

>>>

>>>

>>>

>>>

>>>

>>></span></span>

>

> </span>

[Guest John]

Actually, MBAM worked. However, to get it to work I had to...

 

Go to Start > Control Panel > Folder Options and set it to show hidden file

types, and not to hide extensions or system files

 

rename the installer

 

install it in safe mode

 

reboot in normal mode

 

right-click the desktop icon and find the path to the MBAM target executable

 

browse to and rename the target executable and double-click on it

 

After that all I had to do was reboot after it was finished and then connect

to the update server and I did get some updates, which means I should

probably run it again.

 

Thanks everyone. Your help is priceless and you provide an amazing resource.

 

 

"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

news:e0PAtLUeJHA.5288@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> Here is the download link I forgot to post.

> http://www.microsoft.com/downloads/details...&displaylang=en

>

> --

>

> Richard Urban

> Microsoft MVP

> Windows Desktop Experience

>

>

> "John" <noreply@noreply.com> wrote in message

> news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...<span style="color:green">

>> Hmmm...

>>

>> Well I set Automatic Update to run at 2am and I guess I'm not supposed to

>> be prompted but I still don't have a file called mrt.exe. I also can't

>> browse to the Windows Update site.

>>

>> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...<span style="color:darkred">

>>> This sounds surprisingly like the worm (called "Downadup" or

>>> "Conficker") that has infected 9 million computers to date.

>>> http://www.msnbc.msn.com/id/28708241/

>>>

>>> If so, shame for not installing your Window updates in a timely fashion.

>>> There was a patch issued to prevent this in October.

>>>

>>> The latest version of the Microsoft Malicious Removal Tool, issued on

>>> the 2nd Tuesday of this month, will clean this out. You DID get January

>>> updates right? If so, search for mrt.exe and run the program from your

>>> computer. It will remove this and you should be golden.

>>>

>>>

>>> --

>>>

>>> Richard Urban

>>> Microsoft MVP

>>> Windows Desktop Experience

>>>

>>>

>>> "John" <noreply@noreply.com> wrote in message

>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...

>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

>>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

>>>> every day and scans don't detect anything.

>>>>

>>>> I am not able to browse to certain sites like avira.com, avg.com, and

>>>> other anti-virus sites. With IE7 I get redirected to a Google page and

>>>> w/ Firefox a "page load error" screen saying that the browser "failed

>>>> to connect".

>>>>

>>>> If I type www.avira.com into IE7 I am redirected to a Google search

>>>> page at this URL (I don't advise clicking it):

>>>>

>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>>>>

>>>> If I click the link to avira.com from that page, it takes me to this

>>>> URL (again, I don't advise clicking it):

>>>>

>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>>>>

>>>> Then a page saying that I have security problems pops up, and prompts

>>>> me to download security updates, and IE puts up a messsage bar saying

>>>> that it has blocked the site from downloading files, as you can see in

>>>> the screen capture here (feel free to click this one):

>>>>

>>>> http://productivitymuse.com/screenshot_090117.jpg

>>>>

>>>> The URL of the page in the screen capture is (don't click it):

>>>>

>>>> http://scan.antispyware-pro-scanner.com/243/3/

>>>>

>>>> Does anyone know what could be causing my browser to redirect like this

>>>> and how to correct it?

>>>>

>>>> An adjunctive problem is that Spybot S&D won't start. When I click it,

>>>> I get an hourglass for a few seconds and then nothing happens. When I

>>>> go into Task Manager it does not show Spybot running.

>>>>

>>>> All of this started happening late Wenesday night (possibly after

>>>> midnight) after the Windows Security Center popped up and told me that

>>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

>>>> files and the zafi.b warnings went away, but obviously I still have

>>>> something. I installed AVG as well, and it didn't find anything and

>>>> wouldn't connect to the update server.

>>>>

>>>> Thanks for any advice.

>>>>

>>>> Here's some info on the registrant of the site that is trying to

>>>> download files to my computer. Notice that the domain was just

>>>> published on 1/15/09. The site is also self-hosted, which means that

>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have

>>>> anything he wants on his server...

>>>>

>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

>>>> Contact: +1.8662097142

>>>>

>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>>>>

>>>> Registrant:

>>>> N/A

>>>> Deron Mott (deronmott@ymail.com)

>>>> Fremont St. 91 21

>>>> DETROIT

>>>> Mississippi,48204

>>>> US

>>>> Tel. +131.433437

>>>>

>>>> Creation Date: 15-Jan-2009

>>>> Expiration Date: 15-Jan-2010

>>>>

>>>> Domain servers in listed order:

>>>> ns4.alvobs.com

>>>> ns3.alvobs.com

>>>> ns2.alvobs.com

>>>> ns1.alvobs.com

>>>>

>>>>

>>>>

>>>>

>>>>

>>>></span>

>>

>> </span></span>

[Guest David H. Lipman]

From: "John" <noreply@noreply.com>

 

| Actually, MBAM worked. However, to get it to work I had to...

 

| Go to Start > Control Panel > Folder Options and set it to show hidden file

| types, and not to hide extensions or system files

 

| rename the installer

 

| install it in safe mode

 

| reboot in normal mode

 

| right-click the desktop icon and find the path to the MBAM target executable

 

| browse to and rename the target executable and double-click on it

 

| After that all I had to do was reboot after it was finished and then connect

| to the update server and I did get some updates, which means I should

| probably run it again.

 

| Thanks everyone. Your help is priceless and you provide an amazing resource.

 

YW John and thanx for the update!

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest Bill Sanderson]

You should have MRT.EXE in \windows\system32.

 

If you don't have it at all, your system is not getting all critical

updates, which it should be. If you have it, but the date is not January ,

get the current one from Microsoft--search on "malicious software removal

tool download details"

 

 

 

"John" <noreply@noreply.com> wrote in message

news:eo8z8kTeJHA.4040@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> I actually d/l all updates as soon as prompted. I actually just got some

> updates within the past week. I just changed it to d/l automatically at

> 2a.m. I'll look for that file. Currently, a complete search of my C drive

> does not find it. Thanks.

>

>

> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>> This sounds surprisingly like the worm (called "Downadup" or "Conficker")

>> that has infected 9 million computers to date.

>> http://www.msnbc.msn.com/id/28708241/

>>

>> If so, shame for not installing your Window updates in a timely fashion.

>> There was a patch issued to prevent this in October.

>>

>> The latest version of the Microsoft Malicious Removal Tool, issued on the

>> 2nd Tuesday of this month, will clean this out. You DID get January

>> updates right? If so, search for mrt.exe and run the program from your

>> computer. It will remove this and you should be golden.

>>

>>

>> --

>>

>> Richard Urban

>> Microsoft MVP

>> Windows Desktop Experience

>>

>>

>> "John" <noreply@noreply.com> wrote in message

>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...<span style="color:darkred">

>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

>>> every day and scans don't detect anything.

>>>

>>> I am not able to browse to certain sites like avira.com, avg.com, and

>>> other anti-virus sites. With IE7 I get redirected to a Google page and

>>> w/ Firefox a "page load error" screen saying that the browser "failed to

>>> connect".

>>>

>>> If I type www.avira.com into IE7 I am redirected to a Google search page

>>> at this URL (I don't advise clicking it):

>>>

>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>>>

>>> If I click the link to avira.com from that page, it takes me to this URL

>>> (again, I don't advise clicking it):

>>>

>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>>>

>>> Then a page saying that I have security problems pops up, and prompts me

>>> to download security updates, and IE puts up a messsage bar saying that

>>> it has blocked the site from downloading files, as you can see in the

>>> screen capture here (feel free to click this one):

>>>

>>> http://productivitymuse.com/screenshot_090117.jpg

>>>

>>> The URL of the page in the screen capture is (don't click it):

>>>

>>> http://scan.antispyware-pro-scanner.com/243/3/

>>>

>>> Does anyone know what could be causing my browser to redirect like this

>>> and how to correct it?

>>>

>>> An adjunctive problem is that Spybot S&D won't start. When I click it, I

>>> get an hourglass for a few seconds and then nothing happens. When I go

>>> into Task Manager it does not show Spybot running.

>>>

>>> All of this started happening late Wenesday night (possibly after

>>> midnight) after the Windows Security Center popped up and told me that I

>>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

>>> files and the zafi.b warnings went away, but obviously I still have

>>> something. I installed AVG as well, and it didn't find anything and

>>> wouldn't connect to the update server.

>>>

>>> Thanks for any advice.

>>>

>>> Here's some info on the registrant of the site that is trying to

>>> download files to my computer. Notice that the domain was just published

>>> on 1/15/09. The site is also self-hosted, which means that Mr. Mott from

>>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on

>>> his server...

>>>

>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

>>> Contact: +1.8662097142

>>>

>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>>>

>>> Registrant:

>>> N/A

>>> Deron Mott (deronmott@ymail.com)

>>> Fremont St. 91 21

>>> DETROIT

>>> Mississippi,48204

>>> US

>>> Tel. +131.433437

>>>

>>> Creation Date: 15-Jan-2009

>>> Expiration Date: 15-Jan-2010

>>>

>>> Domain servers in listed order:

>>> ns4.alvobs.com

>>> ns3.alvobs.com

>>> ns2.alvobs.com

>>> ns1.alvobs.com

>>>

>>>

>>>

>>>

>>>

>>></span></span>

>

></span>

 

 

--

[Guest Bill Sanderson]

It is important for you to figure out why you aren't getting critical updates, or you will be reinfected.

 

You might want to try a different tool to test whether you have all the updates in place.

 

Here are a couple that you might want to try:

 

Microsoft Baseline Security Analyzer 2.1, from Microsoft

 

http://technet.microsoft.com/en-us/security/cc184923.aspx

 

Secunia Personal Software Inspector

 

http://secunia.com/vulnerability_scanning/personal/

 

 

Both of these will check whether your Windows installation is up to date with security patches by methods independent of Windows Update, and each has additional functions which are well worth paying attention to as well.

[Guest Richard Urban]

I heartedly suggest that you allow the updates to be installed

automatically, at whatever time you choose. Otherwise you may not be at the

computer to see the prompt telling you to install them NOW! You obviously

did not have an up to date system and were vulnerable - as you have found

out.

 

 

--

 

 

Richard Urban

Microsoft MVP

Windows Desktop Experience

 

 

"John" <noreply@noreply.com> wrote in message

news:uZeURHVeJHA.5420@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> Actually, MBAM worked. However, to get it to work I had to...

>

> Go to Start > Control Panel > Folder Options and set it to show hidden

> file types, and not to hide extensions or system files

>

> rename the installer

>

> install it in safe mode

>

> reboot in normal mode

>

> right-click the desktop icon and find the path to the MBAM target

> executable

>

> browse to and rename the target executable and double-click on it

>

> After that all I had to do was reboot after it was finished and then

> connect to the update server and I did get some updates, which means I

> should probably run it again.

>

> Thanks everyone. Your help is priceless and you provide an amazing

> resource.

>

>

> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

> news:e0PAtLUeJHA.5288@TK2MSFTNGP03.phx.gbl...<span style="color:green">

>> Here is the download link I forgot to post.

>> http://www.microsoft.com/downloads/details...&displaylang=en

>>

>> --

>>

>> Richard Urban

>> Microsoft MVP

>> Windows Desktop Experience

>>

>>

>> "John" <noreply@noreply.com> wrote in message

>> news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...<span style="color:darkred">

>>> Hmmm...

>>>

>>> Well I set Automatic Update to run at 2am and I guess I'm not supposed

>>> to be prompted but I still don't have a file called mrt.exe. I also

>>> can't browse to the Windows Update site.

>>>

>>> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

>>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...

>>>> This sounds surprisingly like the worm (called "Downadup" or

>>>> "Conficker") that has infected 9 million computers to date.

>>>> http://www.msnbc.msn.com/id/28708241/

>>>>

>>>> If so, shame for not installing your Window updates in a timely

>>>> fashion. There was a patch issued to prevent this in October.

>>>>

>>>> The latest version of the Microsoft Malicious Removal Tool, issued on

>>>> the 2nd Tuesday of this month, will clean this out. You DID get January

>>>> updates right? If so, search for mrt.exe and run the program from your

>>>> computer. It will remove this and you should be golden.

>>>>

>>>>

>>>> --

>>>>

>>>> Richard Urban

>>>> Microsoft MVP

>>>> Windows Desktop Experience

>>>>

>>>>

>>>> "John" <noreply@noreply.com> wrote in message

>>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...

>>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC

>>>>> w/ XP. Does anyone recopgnize this? I have Avira AntiVir, been

>>>>> updating it every day and scans don't detect anything.

>>>>>

>>>>> I am not able to browse to certain sites like avira.com, avg.com, and

>>>>> other anti-virus sites. With IE7 I get redirected to a Google page and

>>>>> w/ Firefox a "page load error" screen saying that the browser "failed

>>>>> to connect".

>>>>>

>>>>> If I type www.avira.com into IE7 I am redirected to a Google search

>>>>> page at this URL (I don't advise clicking it):

>>>>>

>>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>>>>>

>>>>> If I click the link to avira.com from that page, it takes me to this

>>>>> URL (again, I don't advise clicking it):

>>>>>

>>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>>>>>

>>>>> Then a page saying that I have security problems pops up, and prompts

>>>>> me to download security updates, and IE puts up a messsage bar saying

>>>>> that it has blocked the site from downloading files, as you can see in

>>>>> the screen capture here (feel free to click this one):

>>>>>

>>>>> http://productivitymuse.com/screenshot_090117.jpg

>>>>>

>>>>> The URL of the page in the screen capture is (don't click it):

>>>>>

>>>>> http://scan.antispyware-pro-scanner.com/243/3/

>>>>>

>>>>> Does anyone know what could be causing my browser to redirect like

>>>>> this and how to correct it?

>>>>>

>>>>> An adjunctive problem is that Spybot S&D won't start. When I click it,

>>>>> I get an hourglass for a few seconds and then nothing happens. When I

>>>>> go into Task Manager it does not show Spybot running.

>>>>>

>>>>> All of this started happening late Wenesday night (possibly after

>>>>> midnight) after the Windows Security Center popped up and told me that

>>>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted

>>>>> some files and the zafi.b warnings went away, but obviously I still

>>>>> have something. I installed AVG as well, and it didn't find anything

>>>>> and wouldn't connect to the update server.

>>>>>

>>>>> Thanks for any advice.

>>>>>

>>>>> Here's some info on the registrant of the site that is trying to

>>>>> download files to my computer. Notice that the domain was just

>>>>> published on 1/15/09. The site is also self-hosted, which means that

>>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have

>>>>> anything he wants on his server...

>>>>>

>>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

>>>>> Contact: +1.8662097142

>>>>>

>>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>>>>>

>>>>> Registrant:

>>>>> N/A

>>>>> Deron Mott (deronmott@ymail.com)

>>>>> Fremont St. 91 21

>>>>> DETROIT

>>>>> Mississippi,48204

>>>>> US

>>>>> Tel. +131.433437

>>>>>

>>>>> Creation Date: 15-Jan-2009

>>>>> Expiration Date: 15-Jan-2010

>>>>>

>>>>> Domain servers in listed order:

>>>>> ns4.alvobs.com

>>>>> ns3.alvobs.com

>>>>> ns2.alvobs.com

>>>>> ns1.alvobs.com

>>>>>

>>>>>

>>>>>

>>>>>

>>>>>

>>>>>

>>>

>>></span></span>

>

> </span>

[Guest mo3here]

I for one take exceptioin by your 'shame' comment with regards to not keeping

the virus definitions on our software up to date. I check daily and am

sitting here with a computer that seems to be infected with this same virus.

How did this virus install and run on a computer with newly installed Vista,

Live one Care and Defender? At least twice a week, I do manual virus scans

and check for updates as well as the programmed daily scans. This virus is

exploiting windows vulnerabilities so don't dump this on Windows users

failing to keep our anti-virus software up to date. Even with the latest

definition running, I still got locked out of my laptop this morning.

 

In case it helps anyone, I booted into safe mode with network access and am

now running the recommended MSR tool. It's been running for 4.5 hours and

still hasn't found this bloody virus........... will keep you posted if I

have any luck.

 

Cheers

Lesia

 

"Richard Urban" wrote:

<span style="color:blue">

> This sounds surprisingly like the worm (called "Downadup" or "Conficker")

> that has infected 9 million computers to date.

> http://www.msnbc.msn.com/id/28708241/

>

> If so, shame for not installing your Window updates in a timely fashion.

> There was a patch issued to prevent this in October.

>

> The latest version of the Microsoft Malicious Removal Tool, issued on the

> 2nd Tuesday of this month, will clean this out. You DID get January updates

> right? If so, search for mrt.exe and run the program from your computer. It

> will remove this and you should be golden.

>

>

> --

>

> Richard Urban

> Microsoft MVP

> Windows Desktop Experience

>

>

> "John" <noreply@noreply.com> wrote in message

> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...<span style="color:green">

> > I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

> > XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

> > every day and scans don't detect anything.

> >

> > I am not able to browse to certain sites like avira.com, avg.com, and

> > other anti-virus sites. With IE7 I get redirected to a Google page and w/

> > Firefox a "page load error" screen saying that the browser "failed to

> > connect".

> >

> > If I type www.avira.com into IE7 I am redirected to a Google search page

> > at this URL (I don't advise clicking it):

> >

> > http://www.google.com/search?q=www.avira.c...ex=&startPage=1

> >

> > If I click the link to avira.com from that page, it takes me to this URL

> > (again, I don't advise clicking it):

> >

> > http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

> >

> > Then a page saying that I have security problems pops up, and prompts me

> > to download security updates, and IE puts up a messsage bar saying that it

> > has blocked the site from downloading files, as you can see in the screen

> > capture here (feel free to click this one):

> >

> > http://productivitymuse.com/screenshot_090117.jpg

> >

> > The URL of the page in the screen capture is (don't click it):

> >

> > http://scan.antispyware-pro-scanner.com/243/3/

> >

> > Does anyone know what could be causing my browser to redirect like this

> > and how to correct it?

> >

> > An adjunctive problem is that Spybot S&D won't start. When I click it, I

> > get an hourglass for a few seconds and then nothing happens. When I go

> > into Task Manager it does not show Spybot running.

> >

> > All of this started happening late Wenesday night (possibly after

> > midnight) after the Windows Security Center popped up and told me that I

> > had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

> > files and the zafi.b warnings went away, but obviously I still have

> > something. I installed AVG as well, and it didn't find anything and

> > wouldn't connect to the update server.

> >

> > Thanks for any advice.

> >

> > Here's some info on the registrant of the site that is trying to download

> > files to my computer. Notice that the domain was just published on

> > 1/15/09. The site is also self-hosted, which means that Mr. Mott from

> > Detroit Michigan 48204 (not Mississippi) can have anything he wants on his

> > server...

> >

> > Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

> > Contact: +1.8662097142

> >

> > Domain Name: ANTISPYWARE-PRO-SCANNER.COM

> >

> > Registrant:

> > N/A

> > Deron Mott (deronmott@ymail.com)

> > Fremont St. 91 21

> > DETROIT

> > Mississippi,48204

> > US

> > Tel. +131.433437

> >

> > Creation Date: 15-Jan-2009

> > Expiration Date: 15-Jan-2010

> >

> > Domain servers in listed order:

> > ns4.alvobs.com

> > ns3.alvobs.com

> > ns2.alvobs.com

> > ns1.alvobs.com

> >

> >

> >

> >

> >

> > </span>

> </span>

[Guest David H. Lipman]

From: "mo3here" <mo3here@discussions.microsoft.com>

 

| I for one take exceptioin by your 'shame' comment with regards to not keeping

| the virus definitions on our software up to date. I check daily and am

| sitting here with a computer that seems to be infected with this same virus.

| How did this virus install and run on a computer with newly installed Vista,

| Live one Care and Defender? At least twice a week, I do manual virus scans

| and check for updates as well as the programmed daily scans. This virus is

| exploiting windows vulnerabilities so don't dump this on Windows users

| failing to keep our anti-virus software up to date. Even with the latest

| definition running, I still got locked out of my laptop this morning.

 

| In case it helps anyone, I booted into safe mode with network access and am

| now running the recommended MSR tool. It's been running for 4.5 hours and

| still hasn't found this bloody virus........... will keep you posted if I

| have any luck.

 

| Cheers

| Lesia

 

 

You are assuming you are infected with the same malware and there is no evidence, that you

have provided, that you have a virus.

 

Instead of hijacking someone else's thread (and takeing exception to what was posted) you

should create tyour own thread and fully provide the information on the problems YOU are

experiencing that leads you to believe your PC is infected.

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Guest FromTheRafters]

"mo3here" <mo3here@discussions.microsoft.com> wrote in message

news:FBAB597D-9EDD-4427-9EDC-29BFDD69D4BD@microsoft.com...<span style="color:blue">

>I for one take exceptioin by your 'shame' comment with regards to not

>keeping

> the virus definitions on our software up to date. I check daily and am

> sitting here with a computer that seems to be infected with this same

> virus.</span>

 

Worm, actually. If indeed we are talking about Conficker.

<span style="color:blue">

> How did this virus install and run...</span>

 

Viruses don't as a rule 'install' - they 'infect' programs as a means to

execute again and spread to yet again another program when executed.

Recursively replicating by attaching to code.

<span style="color:blue">

> on a computer with newly installed Vista, Live one Care and Defender?</span>

 

Not sure about this one, but many exploit based malwares make changes

to the system before any 'file' scanner has a file to scan. The exploit

allows

the malware to execute within the guise (and security context) of the

hosting

program.

 

....besides, a new variant of a particular malware may go unnoticed by the

scanner even if it does become a 'file' on the filesystem. You can't really

depend on any scanner to catch everything it 'knows' about - let alone

those it doesn't 'know' about yet.

<span style="color:blue">

> At least twice a week, I do manual virus scans

> and check for updates as well as the programmed daily scans. This virus

> is

> exploiting windows vulnerabilities so don't dump this on Windows users

> failing to keep our anti-virus software up to date. Even with the latest

> definition running, I still got locked out of my laptop this morning.</span>

 

The 'shame' would be in not patching the vulnerability in a timely manner.

....and I'm not saying with whom the 'shame' should be. The latest variant

has added a weak password vector as well as some others - and the

'vulnerability' there is human.

 

Worms and viruses have a way of getting past even the best security.

[Guest John]

I searched the Microsoft download center and didn't find it.

 

 

"Bill Sanderson" <bill_sanderson@msn.com.plugh.org> wrote in message

news:F7C2E89E-BD65-43AF-999F-8A6293ABE16D@microsoft.com...<span style="color:blue">

> You should have MRT.EXE in windowssystem32.

>

> If you don't have it at all, your system is not getting all critical

> updates, which it should be. If you have it, but the date is not January

> , get the current one from Microsoft--search on "malicious software

> removal tool download details"

>

>

>

> "John" <noreply@noreply.com> wrote in message

> news:eo8z8kTeJHA.4040@TK2MSFTNGP03.phx.gbl...<span style="color:green">

>> I actually d/l all updates as soon as prompted. I actually just got some

>> updates within the past week. I just changed it to d/l automatically at

>> 2a.m. I'll look for that file. Currently, a complete search of my C drive

>> does not find it. Thanks.

>>

>>

>> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message

>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...<span style="color:darkred">

>>> This sounds surprisingly like the worm (called "Downadup" or

>>> "Conficker") that has infected 9 million computers to date.

>>> http://www.msnbc.msn.com/id/28708241/

>>>

>>> If so, shame for not installing your Window updates in a timely fashion.

>>> There was a patch issued to prevent this in October.

>>>

>>> The latest version of the Microsoft Malicious Removal Tool, issued on

>>> the 2nd Tuesday of this month, will clean this out. You DID get January

>>> updates right? If so, search for mrt.exe and run the program from your

>>> computer. It will remove this and you should be golden.

>>>

>>>

>>> --

>>>

>>> Richard Urban

>>> Microsoft MVP

>>> Windows Desktop Experience

>>>

>>>

>>> "John" <noreply@noreply.com> wrote in message

>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...

>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/

>>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it

>>>> every day and scans don't detect anything.

>>>>

>>>> I am not able to browse to certain sites like avira.com, avg.com, and

>>>> other anti-virus sites. With IE7 I get redirected to a Google page and

>>>> w/ Firefox a "page load error" screen saying that the browser "failed

>>>> to connect".

>>>>

>>>> If I type www.avira.com into IE7 I am redirected to a Google search

>>>> page at this URL (I don't advise clicking it):

>>>>

>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1

>>>>

>>>> If I click the link to avira.com from that page, it takes me to this

>>>> URL (again, I don't advise clicking it):

>>>>

>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

>>>>

>>>> Then a page saying that I have security problems pops up, and prompts

>>>> me to download security updates, and IE puts up a messsage bar saying

>>>> that it has blocked the site from downloading files, as you can see in

>>>> the screen capture here (feel free to click this one):

>>>>

>>>> http://productivitymuse.com/screenshot_090117.jpg

>>>>

>>>> The URL of the page in the screen capture is (don't click it):

>>>>

>>>> http://scan.antispyware-pro-scanner.com/243/3/

>>>>

>>>> Does anyone know what could be causing my browser to redirect like this

>>>> and how to correct it?

>>>>

>>>> An adjunctive problem is that Spybot S&D won't start. When I click it,

>>>> I get an hourglass for a few seconds and then nothing happens. When I

>>>> go into Task Manager it does not show Spybot running.

>>>>

>>>> All of this started happening late Wenesday night (possibly after

>>>> midnight) after the Windows Security Center popped up and told me that

>>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted some

>>>> files and the zafi.b warnings went away, but obviously I still have

>>>> something. I installed AVG as well, and it didn't find anything and

>>>> wouldn't connect to the update server.

>>>>

>>>> Thanks for any advice.

>>>>

>>>> Here's some info on the registrant of the site that is trying to

>>>> download files to my computer. Notice that the domain was just

>>>> published on 1/15/09. The site is also self-hosted, which means that

>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have

>>>> anything he wants on his server...

>>>>

>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.

>>>> Contact: +1.8662097142

>>>>

>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM

>>>>

>>>> Registrant:

>>>> N/A

>>>> Deron Mott (deronmott@ymail.com)

>>>> Fremont St. 91 21

>>>> DETROIT

>>>> Mississippi,48204

>>>> US

>>>> Tel. +131.433437

>>>>

>>>> Creation Date: 15-Jan-2009

>>>> Expiration Date: 15-Jan-2010

>>>>

>>>> Domain servers in listed order:

>>>> ns4.alvobs.com

>>>> ns3.alvobs.com

>>>> ns2.alvobs.com

>>>> ns1.alvobs.com

>>>>

>>>>

>>>>

>>>>

>>>>

>>>></span>

>>

>></span>

>

>

> --

>

> </span>