malware affecting IE7 on XP

  • Thread starter Thread starter John
  • Start date Start date
J

John

Guest
I seem to have some kind of malware affecting IE7 & Firefox on my PC w/ XP.
Does anyone recopgnize this? I have Avira AntiVir, been updating it every
day and scans don't detect anything.

I am not able to browse to certain sites like avira.com, avg.com, and other
anti-virus sites. With IE7 I get redirected to a Google page and w/ Firefox
a "page load error" screen saying that the browser "failed to connect".

If I type www.avira.com into IE7 I am redirected to a Google search page at
this URL (I don't advise clicking it):

http://www.google.com/search?q=www.avira.c...ex=&startPage=1

If I click the link to avira.com from that page, it takes me to this URL
(again, I don't advise clicking it):

http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234

Then a page saying that I have security problems pops up, and prompts me to
download security updates, and IE puts up a messsage bar saying that it has
blocked the site from downloading files, as you can see in the screen
capture here (feel free to click this one):

http://productivitymuse.com/screenshot_090117.jpg

The URL of the page in the screen capture is (don't click it):

http://scan.antispyware-pro-scanner.com/243/3/

Does anyone know what could be causing my browser to redirect like this and
how to correct it?

An adjunctive problem is that Spybot S&D won't start. When I click it, I get
an hourglass for a few seconds and then nothing happens. When I go into Task
Manager it does not show Spybot running.

All of this started happening late Wenesday night (possibly after midnight)
after the Windows Security Center popped up and told me that I had the
zafi.b worm. A scan w/ AntiVir made detected and deleted some files and the
zafi.b warnings went away, but obviously I still have something. I installed
AVG as well, and it didn't find anything and wouldn't connect to the update
server.

Thanks for any advice.

Here's some info on the registrant of the site that is trying to download
files to my computer. Notice that the domain was just published on 1/15/09.
The site is also self-hosted, which means that Mr. Mott from Detroit
Michigan 48204 (not Mississippi) can have anything he wants on his server...

Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
Contact: +1.8662097142

Domain Name: ANTISPYWARE-PRO-SCANNER.COM

Registrant:
N/A
Deron Mott (deronmott@ymail.com)
Fremont St. 91 21
DETROIT
Mississippi,48204
US
Tel. +131.433437

Creation Date: 15-Jan-2009
Expiration Date: 15-Jan-2010

Domain servers in listed order:
ns4.alvobs.com
ns3.alvobs.com
ns2.alvobs.com
ns1.alvobs.com
 
From: "John"

| I seem to have some kind of malware affecting IE7 & Firefox on my PC w/ XP.
| Does anyone recopgnize this? I have Avira AntiVir, been updating it every
| day and scans don't detect anything.

| I am not able to browse to certain sites like avira.com, avg.com, and other
| anti-virus sites. With IE7 I get redirected to a Google page and w/ Firefox
| a "page load error" screen saying that the browser "failed to connect".

| If I type www.avira.com into IE7 I am redirected to a Google search page at
| this URL (I don't advise clicking it):

| http://www.google.com/search?q=www.avira.c...UTF-8&oe=UTF-8&
| startIndex=&startPage=1

| If I click the link to avira.com from that page, it takes me to this URL
| (again, I don't advise clicking it):

| http://go.google.com/?u=00a3f63266b79fba14....822.19.77&bid=
| 0.027225&aid=61&said=v300&mppc=234

| Then a page saying that I have security problems pops up, and prompts me to
| download security updates, and IE puts up a messsage bar saying that it has
| blocked the site from downloading files, as you can see in the screen
| capture here (feel free to click this one):

| http://productivitymuse.com/screenshot_090117.jpg

| The URL of the page in the screen capture is (don't click it):

| http://scan.antispyware-pro-scanner.com/243/3/

| Does anyone know what could be causing my browser to redirect like this and
| how to correct it?

| An adjunctive problem is that Spybot S&D won't start. When I click it, I get
| an hourglass for a few seconds and then nothing happens. When I go into Task
| Manager it does not show Spybot running.

| All of this started happening late Wenesday night (possibly after midnight)
| after the Windows Security Center popped up and told me that I had the
| zafi.b worm. A scan w/ AntiVir made detected and deleted some files and the
| zafi.b warnings went away, but obviously I still have something. I installed
| AVG as well, and it didn't find anything and wouldn't connect to the update
| server.

| Thanks for any advice.

| Here's some info on the registrant of the site that is trying to download
| files to my computer. Notice that the domain was just published on 1/15/09.
| The site is also self-hosted, which means that Mr. Mott from Detroit
| Michigan 48204 (not Mississippi) can have anything he wants on his server...

| Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
| Contact: +1.8662097142

| Domain Name: ANTISPYWARE-PRO-SCANNER.COM

| Registrant:
| N/A
| Deron Mott (deronmott@ymail.com)
| Fremont St. 91 21
| DETROIT
| Mississippi,48204
| US
| Tel. +131.433437

| Creation Date: 15-Jan-2009
| Expiration Date: 15-Jan-2010

| Domain servers in listed order:
| ns4.alvobs.com
| ns3.alvobs.com
| ns2.alvobs.com
| ns1.alvobs.com



I suggest you use the following pair...

Malwarebytes Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntiSpyware
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
I see that Malke replied to a similar post and will try those steps...

But maybe Mr. Deron Mott should be investigated because I'm getting
redirected to his web site, which is trying to d/l files to my computer.
Seems like he may be the source of the problem.


"John" wrote in message
news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>I seem to have some kind of malware affecting IE7 & Firefox on my PC w/ XP.
>Does anyone recopgnize this? I have Avira AntiVir, been updating it every
>day and scans don't detect anything.
>
> I am not able to browse to certain sites like avira.com, avg.com, and
> other anti-virus sites. With IE7 I get redirected to a Google page and w/
> Firefox a "page load error" screen saying that the browser "failed to
> connect".
>
> If I type www.avira.com into IE7 I am redirected to a Google search page
> at this URL (I don't advise clicking it):
>
> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>
> If I click the link to avira.com from that page, it takes me to this URL
> (again, I don't advise clicking it):
>
> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>
> Then a page saying that I have security problems pops up, and prompts me
> to download security updates, and IE puts up a messsage bar saying that it
> has blocked the site from downloading files, as you can see in the screen
> capture here (feel free to click this one):
>
> http://productivitymuse.com/screenshot_090117.jpg
>
> The URL of the page in the screen capture is (don't click it):
>
> http://scan.antispyware-pro-scanner.com/243/3/
>
> Does anyone know what could be causing my browser to redirect like this
> and how to correct it?
>
> An adjunctive problem is that Spybot S&D won't start. When I click it, I
> get an hourglass for a few seconds and then nothing happens. When I go
> into Task Manager it does not show Spybot running.
>
> All of this started happening late Wenesday night (possibly after
> midnight) after the Windows Security Center popped up and told me that I
> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
> files and the zafi.b warnings went away, but obviously I still have
> something. I installed AVG as well, and it didn't find anything and
> wouldn't connect to the update server.
>
> Thanks for any advice.
>
> Here's some info on the registrant of the site that is trying to download
> files to my computer. Notice that the domain was just published on
> 1/15/09. The site is also self-hosted, which means that Mr. Mott from
> Detroit Michigan 48204 (not Mississippi) can have anything he wants on his
> server...
>
> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
> Contact: +1.8662097142
>
> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>
> Registrant:
> N/A
> Deron Mott (deronmott@ymail.com)
> Fremont St. 91 21
> DETROIT
> Mississippi,48204
> US
> Tel. +131.433437
>
> Creation Date: 15-Jan-2009
> Expiration Date: 15-Jan-2010
>
> Domain servers in listed order:
> ns4.alvobs.com
> ns3.alvobs.com
> ns2.alvobs.com
> ns1.alvobs.com
>
>
>
>
>
>
 
Thanks David. Unfortunately my browser won't connect to either of those
sites. I'll have to see if I can get a friend to d/l them and put them on a
disk for me.


"David H. Lipman" wrote in message
news:Oth9ZlNeJHA.3776@TK2MSFTNGP04.phx.gbl...

> I suggest you use the following pair...
>
> Malwarebytes Anti-Malware
> http://www.malwarebytes.org/mbam/program/mbam-setup.exe
>
> SuperAntiSpyware
> http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
>
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
Hi -

I am having terrible problems with this. I tried to download what you
suggested (Malwarebytes Anti-Malware and SuperAntiSpyware), but my
laptop wouldn't allow it (presumably under the direction of the virus).
I then went to another laptop and successfully downloaded both of them
to a portable usb drive which I then plugged into the infected one ...
but the infected laptop won't let either of them execute.

Any suggestions?

Clinton


--
ur85q
------------------------------------------------------------------------
ur85q's Profile: http://forums.techarena.in/members/ur85q.htm
View this thread: http://forums.techarena.in/security-virus/1105254.htm

http://forums.techarena.in
 
From: "ur85q"

| Hi -

| I am having terrible problems with this. I tried to download what you suggested
| (Malwarebytes Anti-Malware and SuperAntiSpyware), but my laptop wouldn't allow it
| (presumably under the direction of the virus). I then went to another laptop and
| successfully downloaded both of them to a portable usb drive which I then plugged into
| the infected one ... but the infected laptop won't let either of them execute.

| Any suggestions?

Rename the installers.

Additionally you can download the MBAM signatures the same way...

http://www.gt500.org/malwarebytes/database.jsp

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
From: "John"

| I see that Malke replied to a similar post and will try those steps...

| But maybe Mr. Deron Mott should be investigated because I'm getting
| redirected to his web site, which is trying to d/l files to my computer.
| Seems like he may be the source of the problem.

LOL -- Fake info !


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
This sounds surprisingly like the worm (called "Downadup" or "Conficker")
that has infected 9 million computers to date.
http://www.msnbc.msn.com/id/28708241/

If so, shame for not installing your Window updates in a timely fashion.
There was a patch issued to prevent this in October.

The latest version of the Microsoft Malicious Removal Tool, issued on the
2nd Tuesday of this month, will clean this out. You DID get January updates
right? If so, search for mrt.exe and run the program from your computer. It
will remove this and you should be golden.


--

Richard Urban
Microsoft MVP
Windows Desktop Experience


"John" wrote in message
news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
> every day and scans don't detect anything.
>
> I am not able to browse to certain sites like avira.com, avg.com, and
> other anti-virus sites. With IE7 I get redirected to a Google page and w/
> Firefox a "page load error" screen saying that the browser "failed to
> connect".
>
> If I type www.avira.com into IE7 I am redirected to a Google search page
> at this URL (I don't advise clicking it):
>
> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>
> If I click the link to avira.com from that page, it takes me to this URL
> (again, I don't advise clicking it):
>
> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>
> Then a page saying that I have security problems pops up, and prompts me
> to download security updates, and IE puts up a messsage bar saying that it
> has blocked the site from downloading files, as you can see in the screen
> capture here (feel free to click this one):
>
> http://productivitymuse.com/screenshot_090117.jpg
>
> The URL of the page in the screen capture is (don't click it):
>
> http://scan.antispyware-pro-scanner.com/243/3/
>
> Does anyone know what could be causing my browser to redirect like this
> and how to correct it?
>
> An adjunctive problem is that Spybot S&D won't start. When I click it, I
> get an hourglass for a few seconds and then nothing happens. When I go
> into Task Manager it does not show Spybot running.
>
> All of this started happening late Wenesday night (possibly after
> midnight) after the Windows Security Center popped up and told me that I
> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
> files and the zafi.b warnings went away, but obviously I still have
> something. I installed AVG as well, and it didn't find anything and
> wouldn't connect to the update server.
>
> Thanks for any advice.
>
> Here's some info on the registrant of the site that is trying to download
> files to my computer. Notice that the domain was just published on
> 1/15/09. The site is also self-hosted, which means that Mr. Mott from
> Detroit Michigan 48204 (not Mississippi) can have anything he wants on his
> server...
>
> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
> Contact: +1.8662097142
>
> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>
> Registrant:
> N/A
> Deron Mott (deronmott@ymail.com)
> Fremont St. 91 21
> DETROIT
> Mississippi,48204
> US
> Tel. +131.433437
>
> Creation Date: 15-Jan-2009
> Expiration Date: 15-Jan-2010
>
> Domain servers in listed order:
> ns4.alvobs.com
> ns3.alvobs.com
> ns2.alvobs.com
> ns1.alvobs.com
>
>
>
>
>
>
 
Hi again - thanks for that. Okay, so both programs are now installed
(hooray!) but the installed software won't run if I double click on the
new icons. Is there a clever way to get them going?

Thanks so much for your help. It's not until you get infected like I
have, that you realize how important it is to keep these nasties under
control.

Clinton


--
ur85q
------------------------------------------------------------------------
ur85q's Profile: http://forums.techarena.in/members/ur85q.htm
View this thread: http://forums.techarena.in/security-virus/1105254.htm

http://forums.techarena.in
 
From: "ur85q"

| Hi again - thanks for that. Okay, so both programs are now installed (hooray!) but
| the installed software won't run if I double click on the new icons. Is there a clever
| way to get them going?

| Thanks so much for your help. It's not until you get infected like I have, that you
| realize how important it is to keep these nasties under control.

| Clinton -- ur85q


Yes, instead of clicking on the link file (LNK), go to the folder, rename the EXE file and
then manually run it.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Use my Remove-it software, my site is not blocked by that malware, it will
remove that malware from your system. Choose yes for all options when
prompted. Download it here http://pcbutts1.com/downloads/tools/tools.htm



--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/




"John" wrote in message
news:OJZ1FEOeJHA.3968@TK2MSFTNGP06.phx.gbl...
> Thanks David. Unfortunately my browser won't connect to either of those
> sites. I'll have to see if I can get a friend to d/l them and put them on
> a disk for me.
>
>
> "David H. Lipman" wrote in message
> news:Oth9ZlNeJHA.3776@TK2MSFTNGP04.phx.gbl...
>
>> I suggest you use the following pair...
>>
>> Malwarebytes Anti-Malware
>> http://www.malwarebytes.org/mbam/program/mbam-setup.exe
>>
>> SuperAntiSpyware
>> http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
>>
>>
>>
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>
>
 
Use my Remove-it software, my site is not blocked by that malware, it will
remove that malware from your system. Choose yes for all options when
prompted. Download it here http://pcbutts1.com/downloads/tools/tools.htm


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/




"ur85q" wrote in message
news:ur85q.3m6ezb@DoNotSpam.com...
>
> Hi -
>
> I am having terrible problems with this. I tried to download what you
> suggested (Malwarebytes Anti-Malware and SuperAntiSpyware), but my
> laptop wouldn't allow it (presumably under the direction of the virus).
> I then went to another laptop and successfully downloaded both of them
> to a portable usb drive which I then plugged into the infected one ...
> but the infected laptop won't let either of them execute.
>
> Any suggestions?
>
> Clinton
>
>
> --
> ur85q
> ------------------------------------------------------------------------
> ur85q's Profile: http://forums.techarena.in/members/ur85q.htm
> View this thread: http://forums.techarena.in/security-virus/1105254.htm
>
> http://forums.techarena.in
>
 
I actually d/l all updates as soon as prompted. I actually just got some
updates within the past week. I just changed it to d/l automatically at
2a.m. I'll look for that file. Currently, a complete search of my C drive
does not find it. Thanks.


"Richard Urban" wrote in message
news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
> This sounds surprisingly like the worm (called "Downadup" or "Conficker")
> that has infected 9 million computers to date.
> http://www.msnbc.msn.com/id/28708241/
>
> If so, shame for not installing your Window updates in a timely fashion.
> There was a patch issued to prevent this in October.
>
> The latest version of the Microsoft Malicious Removal Tool, issued on the
> 2nd Tuesday of this month, will clean this out. You DID get January
> updates right? If so, search for mrt.exe and run the program from your
> computer. It will remove this and you should be golden.
>
>
> --
>
> Richard Urban
> Microsoft MVP
> Windows Desktop Experience
>
>
> "John" wrote in message
> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
>> every day and scans don't detect anything.
>>
>> I am not able to browse to certain sites like avira.com, avg.com, and
>> other anti-virus sites. With IE7 I get redirected to a Google page and w/
>> Firefox a "page load error" screen saying that the browser "failed to
>> connect".
>>
>> If I type www.avira.com into IE7 I am redirected to a Google search page
>> at this URL (I don't advise clicking it):
>>
>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>
>> If I click the link to avira.com from that page, it takes me to this URL
>> (again, I don't advise clicking it):
>>
>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>
>> Then a page saying that I have security problems pops up, and prompts me
>> to download security updates, and IE puts up a messsage bar saying that
>> it has blocked the site from downloading files, as you can see in the
>> screen capture here (feel free to click this one):
>>
>> http://productivitymuse.com/screenshot_090117.jpg
>>
>> The URL of the page in the screen capture is (don't click it):
>>
>> http://scan.antispyware-pro-scanner.com/243/3/
>>
>> Does anyone know what could be causing my browser to redirect like this
>> and how to correct it?
>>
>> An adjunctive problem is that Spybot S&D won't start. When I click it, I
>> get an hourglass for a few seconds and then nothing happens. When I go
>> into Task Manager it does not show Spybot running.
>>
>> All of this started happening late Wenesday night (possibly after
>> midnight) after the Windows Security Center popped up and told me that I
>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
>> files and the zafi.b warnings went away, but obviously I still have
>> something. I installed AVG as well, and it didn't find anything and
>> wouldn't connect to the update server.
>>
>> Thanks for any advice.
>>
>> Here's some info on the registrant of the site that is trying to download
>> files to my computer. Notice that the domain was just published on
>> 1/15/09. The site is also self-hosted, which means that Mr. Mott from
>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on
>> his server...
>>
>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>> Contact: +1.8662097142
>>
>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>
>> Registrant:
>> N/A
>> Deron Mott (deronmott@ymail.com)
>> Fremont St. 91 21
>> DETROIT
>> Mississippi,48204
>> US
>> Tel. +131.433437
>>
>> Creation Date: 15-Jan-2009
>> Expiration Date: 15-Jan-2010
>>
>> Domain servers in listed order:
>> ns4.alvobs.com
>> ns3.alvobs.com
>> ns2.alvobs.com
>> ns1.alvobs.com
>>
>>
>>
>>
>>
>>
 
Hmmm...

Well I set Automatic Update to run at 2am and I guess I'm not supposed to be
prompted but I still don't have a file called mrt.exe. I also can't browse
to the Windows Update site.

"Richard Urban" wrote in message
news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
> This sounds surprisingly like the worm (called "Downadup" or "Conficker")
> that has infected 9 million computers to date.
> http://www.msnbc.msn.com/id/28708241/
>
> If so, shame for not installing your Window updates in a timely fashion.
> There was a patch issued to prevent this in October.
>
> The latest version of the Microsoft Malicious Removal Tool, issued on the
> 2nd Tuesday of this month, will clean this out. You DID get January
> updates right? If so, search for mrt.exe and run the program from your
> computer. It will remove this and you should be golden.
>
>
> --
>
> Richard Urban
> Microsoft MVP
> Windows Desktop Experience
>
>
> "John" wrote in message
> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
>> every day and scans don't detect anything.
>>
>> I am not able to browse to certain sites like avira.com, avg.com, and
>> other anti-virus sites. With IE7 I get redirected to a Google page and w/
>> Firefox a "page load error" screen saying that the browser "failed to
>> connect".
>>
>> If I type www.avira.com into IE7 I am redirected to a Google search page
>> at this URL (I don't advise clicking it):
>>
>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>
>> If I click the link to avira.com from that page, it takes me to this URL
>> (again, I don't advise clicking it):
>>
>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>
>> Then a page saying that I have security problems pops up, and prompts me
>> to download security updates, and IE puts up a messsage bar saying that
>> it has blocked the site from downloading files, as you can see in the
>> screen capture here (feel free to click this one):
>>
>> http://productivitymuse.com/screenshot_090117.jpg
>>
>> The URL of the page in the screen capture is (don't click it):
>>
>> http://scan.antispyware-pro-scanner.com/243/3/
>>
>> Does anyone know what could be causing my browser to redirect like this
>> and how to correct it?
>>
>> An adjunctive problem is that Spybot S&D won't start. When I click it, I
>> get an hourglass for a few seconds and then nothing happens. When I go
>> into Task Manager it does not show Spybot running.
>>
>> All of this started happening late Wenesday night (possibly after
>> midnight) after the Windows Security Center popped up and told me that I
>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
>> files and the zafi.b warnings went away, but obviously I still have
>> something. I installed AVG as well, and it didn't find anything and
>> wouldn't connect to the update server.
>>
>> Thanks for any advice.
>>
>> Here's some info on the registrant of the site that is trying to download
>> files to my computer. Notice that the domain was just published on
>> 1/15/09. The site is also self-hosted, which means that Mr. Mott from
>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on
>> his server...
>>
>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>> Contact: +1.8662097142
>>
>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>
>> Registrant:
>> N/A
>> Deron Mott (deronmott@ymail.com)
>> Fremont St. 91 21
>> DETROIT
>> Mississippi,48204
>> US
>> Tel. +131.433437
>>
>> Creation Date: 15-Jan-2009
>> Expiration Date: 15-Jan-2010
>>
>> Domain servers in listed order:
>> ns4.alvobs.com
>> ns3.alvobs.com
>> ns2.alvobs.com
>> ns1.alvobs.com
>>
>>
>>
>>
>>
>>
 
Use another computer to download the MRT.exe from the Microsoft web site.
Then try to install it on your infected computer. Note that the infection
may also prevent this from being possible. If you get it successfully
installed, run the program and do a full scan. It may take a couple of
hours.



--

Richard Urban
Microsoft MVP
Windows Desktop Experience


"John" wrote in message
news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...
> Hmmm...
>
> Well I set Automatic Update to run at 2am and I guess I'm not supposed to
> be prompted but I still don't have a file called mrt.exe. I also can't
> browse to the Windows Update site.
>
> "Richard Urban" wrote in message
> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
>> This sounds surprisingly like the worm (called "Downadup" or "Conficker")
>> that has infected 9 million computers to date.
>> http://www.msnbc.msn.com/id/28708241/
>>
>> If so, shame for not installing your Window updates in a timely fashion.
>> There was a patch issued to prevent this in October.
>>
>> The latest version of the Microsoft Malicious Removal Tool, issued on the
>> 2nd Tuesday of this month, will clean this out. You DID get January
>> updates right? If so, search for mrt.exe and run the program from your
>> computer. It will remove this and you should be golden.
>>
>>
>> --
>>
>> Richard Urban
>> Microsoft MVP
>> Windows Desktop Experience
>>
>>
>> "John" wrote in message
>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
>>> every day and scans don't detect anything.
>>>
>>> I am not able to browse to certain sites like avira.com, avg.com, and
>>> other anti-virus sites. With IE7 I get redirected to a Google page and
>>> w/ Firefox a "page load error" screen saying that the browser "failed to
>>> connect".
>>>
>>> If I type www.avira.com into IE7 I am redirected to a Google search page
>>> at this URL (I don't advise clicking it):
>>>
>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>>
>>> If I click the link to avira.com from that page, it takes me to this URL
>>> (again, I don't advise clicking it):
>>>
>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>>
>>> Then a page saying that I have security problems pops up, and prompts me
>>> to download security updates, and IE puts up a messsage bar saying that
>>> it has blocked the site from downloading files, as you can see in the
>>> screen capture here (feel free to click this one):
>>>
>>> http://productivitymuse.com/screenshot_090117.jpg
>>>
>>> The URL of the page in the screen capture is (don't click it):
>>>
>>> http://scan.antispyware-pro-scanner.com/243/3/
>>>
>>> Does anyone know what could be causing my browser to redirect like this
>>> and how to correct it?
>>>
>>> An adjunctive problem is that Spybot S&D won't start. When I click it, I
>>> get an hourglass for a few seconds and then nothing happens. When I go
>>> into Task Manager it does not show Spybot running.
>>>
>>> All of this started happening late Wenesday night (possibly after
>>> midnight) after the Windows Security Center popped up and told me that I
>>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
>>> files and the zafi.b warnings went away, but obviously I still have
>>> something. I installed AVG as well, and it didn't find anything and
>>> wouldn't connect to the update server.
>>>
>>> Thanks for any advice.
>>>
>>> Here's some info on the registrant of the site that is trying to
>>> download files to my computer. Notice that the domain was just published
>>> on 1/15/09. The site is also self-hosted, which means that Mr. Mott from
>>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on
>>> his server...
>>>
>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>>> Contact: +1.8662097142
>>>
>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>>
>>> Registrant:
>>> N/A
>>> Deron Mott (deronmott@ymail.com)
>>> Fremont St. 91 21
>>> DETROIT
>>> Mississippi,48204
>>> US
>>> Tel. +131.433437
>>>
>>> Creation Date: 15-Jan-2009
>>> Expiration Date: 15-Jan-2010
>>>
>>> Domain servers in listed order:
>>> ns4.alvobs.com
>>> ns3.alvobs.com
>>> ns2.alvobs.com
>>> ns1.alvobs.com
>>>
>>>
>>>
>>>
>>>
>>>
>
>
 
Here is the download link I forgot to post.
http://www.microsoft.com/downloads/details...&displaylang=en

--

Richard Urban
Microsoft MVP
Windows Desktop Experience


"John" wrote in message
news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...
> Hmmm...
>
> Well I set Automatic Update to run at 2am and I guess I'm not supposed to
> be prompted but I still don't have a file called mrt.exe. I also can't
> browse to the Windows Update site.
>
> "Richard Urban" wrote in message
> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
>> This sounds surprisingly like the worm (called "Downadup" or "Conficker")
>> that has infected 9 million computers to date.
>> http://www.msnbc.msn.com/id/28708241/
>>
>> If so, shame for not installing your Window updates in a timely fashion.
>> There was a patch issued to prevent this in October.
>>
>> The latest version of the Microsoft Malicious Removal Tool, issued on the
>> 2nd Tuesday of this month, will clean this out. You DID get January
>> updates right? If so, search for mrt.exe and run the program from your
>> computer. It will remove this and you should be golden.
>>
>>
>> --
>>
>> Richard Urban
>> Microsoft MVP
>> Windows Desktop Experience
>>
>>
>> "John" wrote in message
>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
>>> every day and scans don't detect anything.
>>>
>>> I am not able to browse to certain sites like avira.com, avg.com, and
>>> other anti-virus sites. With IE7 I get redirected to a Google page and
>>> w/ Firefox a "page load error" screen saying that the browser "failed to
>>> connect".
>>>
>>> If I type www.avira.com into IE7 I am redirected to a Google search page
>>> at this URL (I don't advise clicking it):
>>>
>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>>
>>> If I click the link to avira.com from that page, it takes me to this URL
>>> (again, I don't advise clicking it):
>>>
>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>>
>>> Then a page saying that I have security problems pops up, and prompts me
>>> to download security updates, and IE puts up a messsage bar saying that
>>> it has blocked the site from downloading files, as you can see in the
>>> screen capture here (feel free to click this one):
>>>
>>> http://productivitymuse.com/screenshot_090117.jpg
>>>
>>> The URL of the page in the screen capture is (don't click it):
>>>
>>> http://scan.antispyware-pro-scanner.com/243/3/
>>>
>>> Does anyone know what could be causing my browser to redirect like this
>>> and how to correct it?
>>>
>>> An adjunctive problem is that Spybot S&D won't start. When I click it, I
>>> get an hourglass for a few seconds and then nothing happens. When I go
>>> into Task Manager it does not show Spybot running.
>>>
>>> All of this started happening late Wenesday night (possibly after
>>> midnight) after the Windows Security Center popped up and told me that I
>>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
>>> files and the zafi.b warnings went away, but obviously I still have
>>> something. I installed AVG as well, and it didn't find anything and
>>> wouldn't connect to the update server.
>>>
>>> Thanks for any advice.
>>>
>>> Here's some info on the registrant of the site that is trying to
>>> download files to my computer. Notice that the domain was just published
>>> on 1/15/09. The site is also self-hosted, which means that Mr. Mott from
>>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on
>>> his server...
>>>
>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>>> Contact: +1.8662097142
>>>
>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>>
>>> Registrant:
>>> N/A
>>> Deron Mott (deronmott@ymail.com)
>>> Fremont St. 91 21
>>> DETROIT
>>> Mississippi,48204
>>> US
>>> Tel. +131.433437
>>>
>>> Creation Date: 15-Jan-2009
>>> Expiration Date: 15-Jan-2010
>>>
>>> Domain servers in listed order:
>>> ns4.alvobs.com
>>> ns3.alvobs.com
>>> ns2.alvobs.com
>>> ns1.alvobs.com
>>>
>>>
>>>
>>>
>>>
>>>
>
>
 
Actually, MBAM worked. However, to get it to work I had to...

Go to Start > Control Panel > Folder Options and set it to show hidden file
types, and not to hide extensions or system files

rename the installer

install it in safe mode

reboot in normal mode

right-click the desktop icon and find the path to the MBAM target executable

browse to and rename the target executable and double-click on it

After that all I had to do was reboot after it was finished and then connect
to the update server and I did get some updates, which means I should
probably run it again.

Thanks everyone. Your help is priceless and you provide an amazing resource.


"Richard Urban" wrote in message
news:e0PAtLUeJHA.5288@TK2MSFTNGP03.phx.gbl...
> Here is the download link I forgot to post.
> http://www.microsoft.com/downloads/details...&displaylang=en
>
> --
>
> Richard Urban
> Microsoft MVP
> Windows Desktop Experience
>
>
> "John" wrote in message
> news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...
>> Hmmm...
>>
>> Well I set Automatic Update to run at 2am and I guess I'm not supposed to
>> be prompted but I still don't have a file called mrt.exe. I also can't
>> browse to the Windows Update site.
>>
>> "Richard Urban" wrote in message
>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
>>> This sounds surprisingly like the worm (called "Downadup" or
>>> "Conficker") that has infected 9 million computers to date.
>>> http://www.msnbc.msn.com/id/28708241/
>>>
>>> If so, shame for not installing your Window updates in a timely fashion.
>>> There was a patch issued to prevent this in October.
>>>
>>> The latest version of the Microsoft Malicious Removal Tool, issued on
>>> the 2nd Tuesday of this month, will clean this out. You DID get January
>>> updates right? If so, search for mrt.exe and run the program from your
>>> computer. It will remove this and you should be golden.
>>>
>>>
>>> --
>>>
>>> Richard Urban
>>> Microsoft MVP
>>> Windows Desktop Experience
>>>
>>>
>>> "John" wrote in message
>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
>>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
>>>> every day and scans don't detect anything.
>>>>
>>>> I am not able to browse to certain sites like avira.com, avg.com, and
>>>> other anti-virus sites. With IE7 I get redirected to a Google page and
>>>> w/ Firefox a "page load error" screen saying that the browser "failed
>>>> to connect".
>>>>
>>>> If I type www.avira.com into IE7 I am redirected to a Google search
>>>> page at this URL (I don't advise clicking it):
>>>>
>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>>>
>>>> If I click the link to avira.com from that page, it takes me to this
>>>> URL (again, I don't advise clicking it):
>>>>
>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>>>
>>>> Then a page saying that I have security problems pops up, and prompts
>>>> me to download security updates, and IE puts up a messsage bar saying
>>>> that it has blocked the site from downloading files, as you can see in
>>>> the screen capture here (feel free to click this one):
>>>>
>>>> http://productivitymuse.com/screenshot_090117.jpg
>>>>
>>>> The URL of the page in the screen capture is (don't click it):
>>>>
>>>> http://scan.antispyware-pro-scanner.com/243/3/
>>>>
>>>> Does anyone know what could be causing my browser to redirect like this
>>>> and how to correct it?
>>>>
>>>> An adjunctive problem is that Spybot S&D won't start. When I click it,
>>>> I get an hourglass for a few seconds and then nothing happens. When I
>>>> go into Task Manager it does not show Spybot running.
>>>>
>>>> All of this started happening late Wenesday night (possibly after
>>>> midnight) after the Windows Security Center popped up and told me that
>>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
>>>> files and the zafi.b warnings went away, but obviously I still have
>>>> something. I installed AVG as well, and it didn't find anything and
>>>> wouldn't connect to the update server.
>>>>
>>>> Thanks for any advice.
>>>>
>>>> Here's some info on the registrant of the site that is trying to
>>>> download files to my computer. Notice that the domain was just
>>>> published on 1/15/09. The site is also self-hosted, which means that
>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
>>>> anything he wants on his server...
>>>>
>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>>>> Contact: +1.8662097142
>>>>
>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>>>
>>>> Registrant:
>>>> N/A
>>>> Deron Mott (deronmott@ymail.com)
>>>> Fremont St. 91 21
>>>> DETROIT
>>>> Mississippi,48204
>>>> US
>>>> Tel. +131.433437
>>>>
>>>> Creation Date: 15-Jan-2009
>>>> Expiration Date: 15-Jan-2010
>>>>
>>>> Domain servers in listed order:
>>>> ns4.alvobs.com
>>>> ns3.alvobs.com
>>>> ns2.alvobs.com
>>>> ns1.alvobs.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
 
From: "John"

| Actually, MBAM worked. However, to get it to work I had to...

| Go to Start > Control Panel > Folder Options and set it to show hidden file
| types, and not to hide extensions or system files

| rename the installer

| install it in safe mode

| reboot in normal mode

| right-click the desktop icon and find the path to the MBAM target executable

| browse to and rename the target executable and double-click on it

| After that all I had to do was reboot after it was finished and then connect
| to the update server and I did get some updates, which means I should
| probably run it again.

| Thanks everyone. Your help is priceless and you provide an amazing resource.

YW John and thanx for the update!


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
You should have MRT.EXE in \windows\system32.

If you don't have it at all, your system is not getting all critical
updates, which it should be. If you have it, but the date is not January ,
get the current one from Microsoft--search on "malicious software removal
tool download details"



"John" wrote in message
news:eo8z8kTeJHA.4040@TK2MSFTNGP03.phx.gbl...
> I actually d/l all updates as soon as prompted. I actually just got some
> updates within the past week. I just changed it to d/l automatically at
> 2a.m. I'll look for that file. Currently, a complete search of my C drive
> does not find it. Thanks.
>
>
> "Richard Urban" wrote in message
> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
>> This sounds surprisingly like the worm (called "Downadup" or "Conficker")
>> that has infected 9 million computers to date.
>> http://www.msnbc.msn.com/id/28708241/
>>
>> If so, shame for not installing your Window updates in a timely fashion.
>> There was a patch issued to prevent this in October.
>>
>> The latest version of the Microsoft Malicious Removal Tool, issued on the
>> 2nd Tuesday of this month, will clean this out. You DID get January
>> updates right? If so, search for mrt.exe and run the program from your
>> computer. It will remove this and you should be golden.
>>
>>
>> --
>>
>> Richard Urban
>> Microsoft MVP
>> Windows Desktop Experience
>>
>>
>> "John" wrote in message
>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
>>> every day and scans don't detect anything.
>>>
>>> I am not able to browse to certain sites like avira.com, avg.com, and
>>> other anti-virus sites. With IE7 I get redirected to a Google page and
>>> w/ Firefox a "page load error" screen saying that the browser "failed to
>>> connect".
>>>
>>> If I type www.avira.com into IE7 I am redirected to a Google search page
>>> at this URL (I don't advise clicking it):
>>>
>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>>
>>> If I click the link to avira.com from that page, it takes me to this URL
>>> (again, I don't advise clicking it):
>>>
>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>>
>>> Then a page saying that I have security problems pops up, and prompts me
>>> to download security updates, and IE puts up a messsage bar saying that
>>> it has blocked the site from downloading files, as you can see in the
>>> screen capture here (feel free to click this one):
>>>
>>> http://productivitymuse.com/screenshot_090117.jpg
>>>
>>> The URL of the page in the screen capture is (don't click it):
>>>
>>> http://scan.antispyware-pro-scanner.com/243/3/
>>>
>>> Does anyone know what could be causing my browser to redirect like this
>>> and how to correct it?
>>>
>>> An adjunctive problem is that Spybot S&D won't start. When I click it, I
>>> get an hourglass for a few seconds and then nothing happens. When I go
>>> into Task Manager it does not show Spybot running.
>>>
>>> All of this started happening late Wenesday night (possibly after
>>> midnight) after the Windows Security Center popped up and told me that I
>>> had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
>>> files and the zafi.b warnings went away, but obviously I still have
>>> something. I installed AVG as well, and it didn't find anything and
>>> wouldn't connect to the update server.
>>>
>>> Thanks for any advice.
>>>
>>> Here's some info on the registrant of the site that is trying to
>>> download files to my computer. Notice that the domain was just published
>>> on 1/15/09. The site is also self-hosted, which means that Mr. Mott from
>>> Detroit Michigan 48204 (not Mississippi) can have anything he wants on
>>> his server...
>>>
>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>>> Contact: +1.8662097142
>>>
>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>>
>>> Registrant:
>>> N/A
>>> Deron Mott (deronmott@ymail.com)
>>> Fremont St. 91 21
>>> DETROIT
>>> Mississippi,48204
>>> US
>>> Tel. +131.433437
>>>
>>> Creation Date: 15-Jan-2009
>>> Expiration Date: 15-Jan-2010
>>>
>>> Domain servers in listed order:
>>> ns4.alvobs.com
>>> ns3.alvobs.com
>>> ns2.alvobs.com
>>> ns1.alvobs.com
>>>
>>>
>>>
>>>
>>>
>>>
>
>


--
 
It is important for you to figure out why you aren't getting critical updates, or you will be reinfected.

You might want to try a different tool to test whether you have all the updates in place.

Here are a couple that you might want to try:

Microsoft Baseline Security Analyzer 2.1, from Microsoft

http://technet.microsoft.com/en-us/security/cc184923.aspx

Secunia Personal Software Inspector

http://secunia.com/vulnerability_scanning/personal/


Both of these will check whether your Windows installation is up to date with security patches by methods independent of Windows Update, and each has additional functions which are well worth paying attention to as well.
 
You must log in or register to reply here.

Similar threads

E
IE7 urgent
Replies
4
Views
162
Tom [Pepper] Willett
T
J
Re: VISTA - IE7 SECURITY CERTIFICATE ERROR
Replies
0
Views
159
jimcoufal
J
B
Re: Malware and Botnets
Replies
0
Views
128
~BD~
B
P
Help with possible virus/malware/spyware infection
Replies
10
Views
401
David H. Lipman
D
P
Re: IE7/Vista Problem
Replies
5
Views
344
PA Bear [MS MVP]
P
Back
Top