malware affecting IE7 on XP

  • Thread starter Thread starter John
  • Start date Start date
I heartedly suggest that you allow the updates to be installed
automatically, at whatever time you choose. Otherwise you may not be at the
computer to see the prompt telling you to install them NOW! You obviously
did not have an up to date system and were vulnerable - as you have found
out.


--


Richard Urban
Microsoft MVP
Windows Desktop Experience


"John" wrote in message
news:uZeURHVeJHA.5420@TK2MSFTNGP02.phx.gbl...
> Actually, MBAM worked. However, to get it to work I had to...
>
> Go to Start > Control Panel > Folder Options and set it to show hidden
> file types, and not to hide extensions or system files
>
> rename the installer
>
> install it in safe mode
>
> reboot in normal mode
>
> right-click the desktop icon and find the path to the MBAM target
> executable
>
> browse to and rename the target executable and double-click on it
>
> After that all I had to do was reboot after it was finished and then
> connect to the update server and I did get some updates, which means I
> should probably run it again.
>
> Thanks everyone. Your help is priceless and you provide an amazing
> resource.
>
>
> "Richard Urban" wrote in message
> news:e0PAtLUeJHA.5288@TK2MSFTNGP03.phx.gbl...
>> Here is the download link I forgot to post.
>> http://www.microsoft.com/downloads/details...&displaylang=en
>>
>> --
>>
>> Richard Urban
>> Microsoft MVP
>> Windows Desktop Experience
>>
>>
>> "John" wrote in message
>> news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...
>>> Hmmm...
>>>
>>> Well I set Automatic Update to run at 2am and I guess I'm not supposed
>>> to be prompted but I still don't have a file called mrt.exe. I also
>>> can't browse to the Windows Update site.
>>>
>>> "Richard Urban" wrote in message
>>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
>>>> This sounds surprisingly like the worm (called "Downadup" or
>>>> "Conficker") that has infected 9 million computers to date.
>>>> http://www.msnbc.msn.com/id/28708241/
>>>>
>>>> If so, shame for not installing your Window updates in a timely
>>>> fashion. There was a patch issued to prevent this in October.
>>>>
>>>> The latest version of the Microsoft Malicious Removal Tool, issued on
>>>> the 2nd Tuesday of this month, will clean this out. You DID get January
>>>> updates right? If so, search for mrt.exe and run the program from your
>>>> computer. It will remove this and you should be golden.
>>>>
>>>>
>>>> --
>>>>
>>>> Richard Urban
>>>> Microsoft MVP
>>>> Windows Desktop Experience
>>>>
>>>>
>>>> "John" wrote in message
>>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC
>>>>> w/ XP. Does anyone recopgnize this? I have Avira AntiVir, been
>>>>> updating it every day and scans don't detect anything.
>>>>>
>>>>> I am not able to browse to certain sites like avira.com, avg.com, and
>>>>> other anti-virus sites. With IE7 I get redirected to a Google page and
>>>>> w/ Firefox a "page load error" screen saying that the browser "failed
>>>>> to connect".
>>>>>
>>>>> If I type www.avira.com into IE7 I am redirected to a Google search
>>>>> page at this URL (I don't advise clicking it):
>>>>>
>>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>>>>
>>>>> If I click the link to avira.com from that page, it takes me to this
>>>>> URL (again, I don't advise clicking it):
>>>>>
>>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>>>>
>>>>> Then a page saying that I have security problems pops up, and prompts
>>>>> me to download security updates, and IE puts up a messsage bar saying
>>>>> that it has blocked the site from downloading files, as you can see in
>>>>> the screen capture here (feel free to click this one):
>>>>>
>>>>> http://productivitymuse.com/screenshot_090117.jpg
>>>>>
>>>>> The URL of the page in the screen capture is (don't click it):
>>>>>
>>>>> http://scan.antispyware-pro-scanner.com/243/3/
>>>>>
>>>>> Does anyone know what could be causing my browser to redirect like
>>>>> this and how to correct it?
>>>>>
>>>>> An adjunctive problem is that Spybot S&D won't start. When I click it,
>>>>> I get an hourglass for a few seconds and then nothing happens. When I
>>>>> go into Task Manager it does not show Spybot running.
>>>>>
>>>>> All of this started happening late Wenesday night (possibly after
>>>>> midnight) after the Windows Security Center popped up and told me that
>>>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted
>>>>> some files and the zafi.b warnings went away, but obviously I still
>>>>> have something. I installed AVG as well, and it didn't find anything
>>>>> and wouldn't connect to the update server.
>>>>>
>>>>> Thanks for any advice.
>>>>>
>>>>> Here's some info on the registrant of the site that is trying to
>>>>> download files to my computer. Notice that the domain was just
>>>>> published on 1/15/09. The site is also self-hosted, which means that
>>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
>>>>> anything he wants on his server...
>>>>>
>>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>>>>> Contact: +1.8662097142
>>>>>
>>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>>>>
>>>>> Registrant:
>>>>> N/A
>>>>> Deron Mott (deronmott@ymail.com)
>>>>> Fremont St. 91 21
>>>>> DETROIT
>>>>> Mississippi,48204
>>>>> US
>>>>> Tel. +131.433437
>>>>>
>>>>> Creation Date: 15-Jan-2009
>>>>> Expiration Date: 15-Jan-2010
>>>>>
>>>>> Domain servers in listed order:
>>>>> ns4.alvobs.com
>>>>> ns3.alvobs.com
>>>>> ns2.alvobs.com
>>>>> ns1.alvobs.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>
>
 
I for one take exceptioin by your 'shame' comment with regards to not keeping
the virus definitions on our software up to date. I check daily and am
sitting here with a computer that seems to be infected with this same virus.
How did this virus install and run on a computer with newly installed Vista,
Live one Care and Defender? At least twice a week, I do manual virus scans
and check for updates as well as the programmed daily scans. This virus is
exploiting windows vulnerabilities so don't dump this on Windows users
failing to keep our anti-virus software up to date. Even with the latest
definition running, I still got locked out of my laptop this morning.

In case it helps anyone, I booted into safe mode with network access and am
now running the recommended MSR tool. It's been running for 4.5 hours and
still hasn't found this bloody virus........... will keep you posted if I
have any luck.

Cheers
Lesia

"Richard Urban" wrote:

> This sounds surprisingly like the worm (called "Downadup" or "Conficker")
> that has infected 9 million computers to date.
> http://www.msnbc.msn.com/id/28708241/
>
> If so, shame for not installing your Window updates in a timely fashion.
> There was a patch issued to prevent this in October.
>
> The latest version of the Microsoft Malicious Removal Tool, issued on the
> 2nd Tuesday of this month, will clean this out. You DID get January updates
> right? If so, search for mrt.exe and run the program from your computer. It
> will remove this and you should be golden.
>
>
> --
>
> Richard Urban
> Microsoft MVP
> Windows Desktop Experience
>
>
> "John" wrote in message
> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
> > I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
> > XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
> > every day and scans don't detect anything.
> >
> > I am not able to browse to certain sites like avira.com, avg.com, and
> > other anti-virus sites. With IE7 I get redirected to a Google page and w/
> > Firefox a "page load error" screen saying that the browser "failed to
> > connect".
> >
> > If I type www.avira.com into IE7 I am redirected to a Google search page
> > at this URL (I don't advise clicking it):
> >
> > http://www.google.com/search?q=www.avira.c...ex=&startPage=1
> >
> > If I click the link to avira.com from that page, it takes me to this URL
> > (again, I don't advise clicking it):
> >
> > http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
> >
> > Then a page saying that I have security problems pops up, and prompts me
> > to download security updates, and IE puts up a messsage bar saying that it
> > has blocked the site from downloading files, as you can see in the screen
> > capture here (feel free to click this one):
> >
> > http://productivitymuse.com/screenshot_090117.jpg
> >
> > The URL of the page in the screen capture is (don't click it):
> >
> > http://scan.antispyware-pro-scanner.com/243/3/
> >
> > Does anyone know what could be causing my browser to redirect like this
> > and how to correct it?
> >
> > An adjunctive problem is that Spybot S&D won't start. When I click it, I
> > get an hourglass for a few seconds and then nothing happens. When I go
> > into Task Manager it does not show Spybot running.
> >
> > All of this started happening late Wenesday night (possibly after
> > midnight) after the Windows Security Center popped up and told me that I
> > had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
> > files and the zafi.b warnings went away, but obviously I still have
> > something. I installed AVG as well, and it didn't find anything and
> > wouldn't connect to the update server.
> >
> > Thanks for any advice.
> >
> > Here's some info on the registrant of the site that is trying to download
> > files to my computer. Notice that the domain was just published on
> > 1/15/09. The site is also self-hosted, which means that Mr. Mott from
> > Detroit Michigan 48204 (not Mississippi) can have anything he wants on his
> > server...
> >
> > Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
> > Contact: +1.8662097142
> >
> > Domain Name: ANTISPYWARE-PRO-SCANNER.COM
> >
> > Registrant:
> > N/A
> > Deron Mott (deronmott@ymail.com)
> > Fremont St. 91 21
> > DETROIT
> > Mississippi,48204
> > US
> > Tel. +131.433437
> >
> > Creation Date: 15-Jan-2009
> > Expiration Date: 15-Jan-2010
> >
> > Domain servers in listed order:
> > ns4.alvobs.com
> > ns3.alvobs.com
> > ns2.alvobs.com
> > ns1.alvobs.com
> >
> >
> >
> >
> >
> >
>
 
From: "mo3here"

| I for one take exceptioin by your 'shame' comment with regards to not keeping
| the virus definitions on our software up to date. I check daily and am
| sitting here with a computer that seems to be infected with this same virus.
| How did this virus install and run on a computer with newly installed Vista,
| Live one Care and Defender? At least twice a week, I do manual virus scans
| and check for updates as well as the programmed daily scans. This virus is
| exploiting windows vulnerabilities so don't dump this on Windows users
| failing to keep our anti-virus software up to date. Even with the latest
| definition running, I still got locked out of my laptop this morning.

| In case it helps anyone, I booted into safe mode with network access and am
| now running the recommended MSR tool. It's been running for 4.5 hours and
| still hasn't found this bloody virus........... will keep you posted if I
| have any luck.

| Cheers
| Lesia


You are assuming you are infected with the same malware and there is no evidence, that you
have provided, that you have a virus.

Instead of hijacking someone else's thread (and takeing exception to what was posted) you
should create tyour own thread and fully provide the information on the problems YOU are
experiencing that leads you to believe your PC is infected.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
"mo3here" wrote in message
news:FBAB597D-9EDD-4427-9EDC-29BFDD69D4BD@microsoft.com...
>I for one take exceptioin by your 'shame' comment with regards to not
>keeping
> the virus definitions on our software up to date. I check daily and am
> sitting here with a computer that seems to be infected with this same
> virus.

Worm, actually. If indeed we are talking about Conficker.

> How did this virus install and run...

Viruses don't as a rule 'install' - they 'infect' programs as a means to
execute again and spread to yet again another program when executed.
Recursively replicating by attaching to code.

> on a computer with newly installed Vista, Live one Care and Defender?

Not sure about this one, but many exploit based malwares make changes
to the system before any 'file' scanner has a file to scan. The exploit
allows
the malware to execute within the guise (and security context) of the
hosting
program.

....besides, a new variant of a particular malware may go unnoticed by the
scanner even if it does become a 'file' on the filesystem. You can't really
depend on any scanner to catch everything it 'knows' about - let alone
those it doesn't 'know' about yet.

> At least twice a week, I do manual virus scans
> and check for updates as well as the programmed daily scans. This virus
> is
> exploiting windows vulnerabilities so don't dump this on Windows users
> failing to keep our anti-virus software up to date. Even with the latest
> definition running, I still got locked out of my laptop this morning.

The 'shame' would be in not patching the vulnerability in a timely manner.
....and I'm not saying with whom the 'shame' should be. The latest variant
has added a weak password vector as well as some others - and the
'vulnerability' there is human.

Worms and viruses have a way of getting past even the best security.
 
I searched the Microsoft download center and didn't find it.


"Bill Sanderson" wrote in message
news:F7C2E89E-BD65-43AF-999F-8A6293ABE16D@microsoft.com...
> You should have MRT.EXE in windowssystem32.
>
> If you don't have it at all, your system is not getting all critical
> updates, which it should be. If you have it, but the date is not January
> , get the current one from Microsoft--search on "malicious software
> removal tool download details"
>
>
>
> "John" wrote in message
> news:eo8z8kTeJHA.4040@TK2MSFTNGP03.phx.gbl...
>> I actually d/l all updates as soon as prompted. I actually just got some
>> updates within the past week. I just changed it to d/l automatically at
>> 2a.m. I'll look for that file. Currently, a complete search of my C drive
>> does not find it. Thanks.
>>
>>
>> "Richard Urban" wrote in message
>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
>>> This sounds surprisingly like the worm (called "Downadup" or
>>> "Conficker") that has infected 9 million computers to date.
>>> http://www.msnbc.msn.com/id/28708241/
>>>
>>> If so, shame for not installing your Window updates in a timely fashion.
>>> There was a patch issued to prevent this in October.
>>>
>>> The latest version of the Microsoft Malicious Removal Tool, issued on
>>> the 2nd Tuesday of this month, will clean this out. You DID get January
>>> updates right? If so, search for mrt.exe and run the program from your
>>> computer. It will remove this and you should be golden.
>>>
>>>
>>> --
>>>
>>> Richard Urban
>>> Microsoft MVP
>>> Windows Desktop Experience
>>>
>>>
>>> "John" wrote in message
>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
>>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
>>>> every day and scans don't detect anything.
>>>>
>>>> I am not able to browse to certain sites like avira.com, avg.com, and
>>>> other anti-virus sites. With IE7 I get redirected to a Google page and
>>>> w/ Firefox a "page load error" screen saying that the browser "failed
>>>> to connect".
>>>>
>>>> If I type www.avira.com into IE7 I am redirected to a Google search
>>>> page at this URL (I don't advise clicking it):
>>>>
>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>>>
>>>> If I click the link to avira.com from that page, it takes me to this
>>>> URL (again, I don't advise clicking it):
>>>>
>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>>>
>>>> Then a page saying that I have security problems pops up, and prompts
>>>> me to download security updates, and IE puts up a messsage bar saying
>>>> that it has blocked the site from downloading files, as you can see in
>>>> the screen capture here (feel free to click this one):
>>>>
>>>> http://productivitymuse.com/screenshot_090117.jpg
>>>>
>>>> The URL of the page in the screen capture is (don't click it):
>>>>
>>>> http://scan.antispyware-pro-scanner.com/243/3/
>>>>
>>>> Does anyone know what could be causing my browser to redirect like this
>>>> and how to correct it?
>>>>
>>>> An adjunctive problem is that Spybot S&D won't start. When I click it,
>>>> I get an hourglass for a few seconds and then nothing happens. When I
>>>> go into Task Manager it does not show Spybot running.
>>>>
>>>> All of this started happening late Wenesday night (possibly after
>>>> midnight) after the Windows Security Center popped up and told me that
>>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
>>>> files and the zafi.b warnings went away, but obviously I still have
>>>> something. I installed AVG as well, and it didn't find anything and
>>>> wouldn't connect to the update server.
>>>>
>>>> Thanks for any advice.
>>>>
>>>> Here's some info on the registrant of the site that is trying to
>>>> download files to my computer. Notice that the domain was just
>>>> published on 1/15/09. The site is also self-hosted, which means that
>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
>>>> anything he wants on his server...
>>>>
>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>>>> Contact: +1.8662097142
>>>>
>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>>>
>>>> Registrant:
>>>> N/A
>>>> Deron Mott (deronmott@ymail.com)
>>>> Fremont St. 91 21
>>>> DETROIT
>>>> Mississippi,48204
>>>> US
>>>> Tel. +131.433437
>>>>
>>>> Creation Date: 15-Jan-2009
>>>> Expiration Date: 15-Jan-2010
>>>>
>>>> Domain servers in listed order:
>>>> ns4.alvobs.com
>>>> ns3.alvobs.com
>>>> ns2.alvobs.com
>>>> ns1.alvobs.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>
>
> --
>
>
 
It's not in the download center.

http://www.microsoft.com/security/malwareremove/default.mspx

"John" wrote in message
news:%23$vtHrxgJHA.4408@TK2MSFTNGP06.phx.gbl...
:I searched the Microsoft download center and didn't find it.
:
:
: "Bill Sanderson" wrote in message
: news:F7C2E89E-BD65-43AF-999F-8A6293ABE16D@microsoft.com...
: > You should have MRT.EXE in \windows\system32.
: >
: > If you don't have it at all, your system is not getting all critical
: > updates, which it should be. If you have it, but the date is not
January
: > , get the current one from Microsoft--search on "malicious software
: > removal tool download details"
: >
: >
: >
: > "John" wrote in message
: > news:eo8z8kTeJHA.4040@TK2MSFTNGP03.phx.gbl...
: >> I actually d/l all updates as soon as prompted. I actually just got
some
: >> updates within the past week. I just changed it to d/l automatically at
: >> 2a.m. I'll look for that file. Currently, a complete search of my C
drive
: >> does not find it. Thanks.
: >>
: >>
: >> "Richard Urban" wrote in message
: >> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
: >>> This sounds surprisingly like the worm (called "Downadup" or
: >>> "Conficker") that has infected 9 million computers to date.
: >>> http://www.msnbc.msn.com/id/28708241/
: >>>
: >>> If so, shame for not installing your Window updates in a timely
fashion.
: >>> There was a patch issued to prevent this in October.
: >>>
: >>> The latest version of the Microsoft Malicious Removal Tool, issued on
: >>> the 2nd Tuesday of this month, will clean this out. You DID get
January
: >>> updates right? If so, search for mrt.exe and run the program from your
: >>> computer. It will remove this and you should be golden.
: >>>
: >>>
: >>> --
: >>>
: >>> Richard Urban
: >>> Microsoft MVP
: >>> Windows Desktop Experience
: >>>
: >>>
: >>> "John" wrote in message
: >>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
: >>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC
w/
: >>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating
it
: >>>> every day and scans don't detect anything.
: >>>>
: >>>> I am not able to browse to certain sites like avira.com, avg.com, and
: >>>> other anti-virus sites. With IE7 I get redirected to a Google page
and
: >>>> w/ Firefox a "page load error" screen saying that the browser "failed
: >>>> to connect".
: >>>>
: >>>> If I type www.avira.com into IE7 I am redirected to a Google search
: >>>> page at this URL (I don't advise clicking it):
: >>>>
: >>>>
http://www.google.com/search?q=www.avira.c...ex=&startPage=1
: >>>>
: >>>> If I click the link to avira.com from that page, it takes me to this
: >>>> URL (again, I don't advise clicking it):
: >>>>
: >>>>
http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
: >>>>
: >>>> Then a page saying that I have security problems pops up, and prompts
: >>>> me to download security updates, and IE puts up a messsage bar saying
: >>>> that it has blocked the site from downloading files, as you can see
in
: >>>> the screen capture here (feel free to click this one):
: >>>>
: >>>> http://productivitymuse.com/screenshot_090117.jpg
: >>>>
: >>>> The URL of the page in the screen capture is (don't click it):
: >>>>
: >>>> http://scan.antispyware-pro-scanner.com/243/3/
: >>>>
: >>>> Does anyone know what could be causing my browser to redirect like
this
: >>>> and how to correct it?
: >>>>
: >>>> An adjunctive problem is that Spybot S&D won't start. When I click
it,
: >>>> I get an hourglass for a few seconds and then nothing happens. When I
: >>>> go into Task Manager it does not show Spybot running.
: >>>>
: >>>> All of this started happening late Wenesday night (possibly after
: >>>> midnight) after the Windows Security Center popped up and told me
that
: >>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted
some
: >>>> files and the zafi.b warnings went away, but obviously I still have
: >>>> something. I installed AVG as well, and it didn't find anything and
: >>>> wouldn't connect to the update server.
: >>>>
: >>>> Thanks for any advice.
: >>>>
: >>>> Here's some info on the registrant of the site that is trying to
: >>>> download files to my computer. Notice that the domain was just
: >>>> published on 1/15/09. The site is also self-hosted, which means that
: >>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
: >>>> anything he wants on his server...
: >>>>
: >>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
: >>>> Contact: +1.8662097142
: >>>>
: >>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
: >>>>
: >>>> Registrant:
: >>>> N/A
: >>>> Deron Mott (deronmott@ymail.com)
: >>>> Fremont St. 91 21
: >>>> DETROIT
: >>>> Mississippi,48204
: >>>> US
: >>>> Tel. +131.433437
: >>>>
: >>>> Creation Date: 15-Jan-2009
: >>>> Expiration Date: 15-Jan-2010
: >>>>
: >>>> Domain servers in listed order:
: >>>> ns4.alvobs.com
: >>>> ns3.alvobs.com
: >>>> ns2.alvobs.com
: >>>> ns1.alvobs.com
: >>>>
: >>>>
: >>>>
: >>>>
: >>>>
: >>>>
: >>
: >>
: >
: >
: > --
: >
: >
:
:
 
Yes, I still don't have MRT and I will get the appropriate measures into
place. Thank you.


"Richard Urban" wrote in message
news:O2kwyyKfJHA.1252@TK2MSFTNGP03.phx.gbl...
>I heartedly suggest that you allow the updates to be installed
>automatically, at whatever time you choose. Otherwise you may not be at the
>computer to see the prompt telling you to install them NOW! You obviously
>did not have an up to date system and were vulnerable - as you have found
>out.
>
>
> --
>
>
> Richard Urban
> Microsoft MVP
> Windows Desktop Experience
>
>
> "John" wrote in message
> news:uZeURHVeJHA.5420@TK2MSFTNGP02.phx.gbl...
>> Actually, MBAM worked. However, to get it to work I had to...
>>
>> Go to Start > Control Panel > Folder Options and set it to show hidden
>> file types, and not to hide extensions or system files
>>
>> rename the installer
>>
>> install it in safe mode
>>
>> reboot in normal mode
>>
>> right-click the desktop icon and find the path to the MBAM target
>> executable
>>
>> browse to and rename the target executable and double-click on it
>>
>> After that all I had to do was reboot after it was finished and then
>> connect to the update server and I did get some updates, which means I
>> should probably run it again.
>>
>> Thanks everyone. Your help is priceless and you provide an amazing
>> resource.
>>
>>
>> "Richard Urban" wrote in message
>> news:e0PAtLUeJHA.5288@TK2MSFTNGP03.phx.gbl...
>>> Here is the download link I forgot to post.
>>> http://www.microsoft.com/downloads/details...&displaylang=en
>>>
>>> --
>>>
>>> Richard Urban
>>> Microsoft MVP
>>> Windows Desktop Experience
>>>
>>>
>>> "John" wrote in message
>>> news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...
>>>> Hmmm...
>>>>
>>>> Well I set Automatic Update to run at 2am and I guess I'm not supposed
>>>> to be prompted but I still don't have a file called mrt.exe. I also
>>>> can't browse to the Windows Update site.
>>>>
>>>> "Richard Urban" wrote in message
>>>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
>>>>> This sounds surprisingly like the worm (called "Downadup" or
>>>>> "Conficker") that has infected 9 million computers to date.
>>>>> http://www.msnbc.msn.com/id/28708241/
>>>>>
>>>>> If so, shame for not installing your Window updates in a timely
>>>>> fashion. There was a patch issued to prevent this in October.
>>>>>
>>>>> The latest version of the Microsoft Malicious Removal Tool, issued on
>>>>> the 2nd Tuesday of this month, will clean this out. You DID get
>>>>> January updates right? If so, search for mrt.exe and run the program
>>>>> from your computer. It will remove this and you should be golden.
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Richard Urban
>>>>> Microsoft MVP
>>>>> Windows Desktop Experience
>>>>>
>>>>>
>>>>> "John" wrote in message
>>>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>>>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC
>>>>>> w/ XP. Does anyone recopgnize this? I have Avira AntiVir, been
>>>>>> updating it every day and scans don't detect anything.
>>>>>>
>>>>>> I am not able to browse to certain sites like avira.com, avg.com, and
>>>>>> other anti-virus sites. With IE7 I get redirected to a Google page
>>>>>> and w/ Firefox a "page load error" screen saying that the browser
>>>>>> "failed to connect".
>>>>>>
>>>>>> If I type www.avira.com into IE7 I am redirected to a Google search
>>>>>> page at this URL (I don't advise clicking it):
>>>>>>
>>>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>>>>>
>>>>>> If I click the link to avira.com from that page, it takes me to this
>>>>>> URL (again, I don't advise clicking it):
>>>>>>
>>>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>>>>>
>>>>>> Then a page saying that I have security problems pops up, and prompts
>>>>>> me to download security updates, and IE puts up a messsage bar saying
>>>>>> that it has blocked the site from downloading files, as you can see
>>>>>> in the screen capture here (feel free to click this one):
>>>>>>
>>>>>> http://productivitymuse.com/screenshot_090117.jpg
>>>>>>
>>>>>> The URL of the page in the screen capture is (don't click it):
>>>>>>
>>>>>> http://scan.antispyware-pro-scanner.com/243/3/
>>>>>>
>>>>>> Does anyone know what could be causing my browser to redirect like
>>>>>> this and how to correct it?
>>>>>>
>>>>>> An adjunctive problem is that Spybot S&D won't start. When I click
>>>>>> it, I get an hourglass for a few seconds and then nothing happens.
>>>>>> When I go into Task Manager it does not show Spybot running.
>>>>>>
>>>>>> All of this started happening late Wenesday night (possibly after
>>>>>> midnight) after the Windows Security Center popped up and told me
>>>>>> that I had the zafi.b worm. A scan w/ AntiVir made detected and
>>>>>> deleted some files and the zafi.b warnings went away, but obviously I
>>>>>> still have something. I installed AVG as well, and it didn't find
>>>>>> anything and wouldn't connect to the update server.
>>>>>>
>>>>>> Thanks for any advice.
>>>>>>
>>>>>> Here's some info on the registrant of the site that is trying to
>>>>>> download files to my computer. Notice that the domain was just
>>>>>> published on 1/15/09. The site is also self-hosted, which means that
>>>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
>>>>>> anything he wants on his server...
>>>>>>
>>>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>>>>>> Contact: +1.8662097142
>>>>>>
>>>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>>>>>
>>>>>> Registrant:
>>>>>> N/A
>>>>>> Deron Mott (deronmott@ymail.com)
>>>>>> Fremont St. 91 21
>>>>>> DETROIT
>>>>>> Mississippi,48204
>>>>>> US
>>>>>> Tel. +131.433437
>>>>>>
>>>>>> Creation Date: 15-Jan-2009
>>>>>> Expiration Date: 15-Jan-2010
>>>>>>
>>>>>> Domain servers in listed order:
>>>>>> ns4.alvobs.com
>>>>>> ns3.alvobs.com
>>>>>> ns2.alvobs.com
>>>>>> ns1.alvobs.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
>
 
Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm

--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/




"John" wrote in message
news:ev4VmCygJHA.1288@TK2MSFTNGP02.phx.gbl...
> Yes, I still don't have MRT and I will get the appropriate measures into
> place. Thank you.
>
>
> "Richard Urban" wrote in message
> news:O2kwyyKfJHA.1252@TK2MSFTNGP03.phx.gbl...
>>I heartedly suggest that you allow the updates to be installed
>>automatically, at whatever time you choose. Otherwise you may not be at
>>the computer to see the prompt telling you to install them NOW! You
>>obviously did not have an up to date system and were vulnerable - as you
>>have found out.
>>
>>
>> --
>>
>>
>> Richard Urban
>> Microsoft MVP
>> Windows Desktop Experience
>>
>>
>> "John" wrote in message
>> news:uZeURHVeJHA.5420@TK2MSFTNGP02.phx.gbl...
>>> Actually, MBAM worked. However, to get it to work I had to...
>>>
>>> Go to Start > Control Panel > Folder Options and set it to show hidden
>>> file types, and not to hide extensions or system files
>>>
>>> rename the installer
>>>
>>> install it in safe mode
>>>
>>> reboot in normal mode
>>>
>>> right-click the desktop icon and find the path to the MBAM target
>>> executable
>>>
>>> browse to and rename the target executable and double-click on it
>>>
>>> After that all I had to do was reboot after it was finished and then
>>> connect to the update server and I did get some updates, which means I
>>> should probably run it again.
>>>
>>> Thanks everyone. Your help is priceless and you provide an amazing
>>> resource.
>>>
>>>
>>> "Richard Urban" wrote in message
>>> news:e0PAtLUeJHA.5288@TK2MSFTNGP03.phx.gbl...
>>>> Here is the download link I forgot to post.
>>>> http://www.microsoft.com/downloads/details...&displaylang=en
>>>>
>>>> --
>>>>
>>>> Richard Urban
>>>> Microsoft MVP
>>>> Windows Desktop Experience
>>>>
>>>>
>>>> "John" wrote in message
>>>> news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...
>>>>> Hmmm...
>>>>>
>>>>> Well I set Automatic Update to run at 2am and I guess I'm not supposed
>>>>> to be prompted but I still don't have a file called mrt.exe. I also
>>>>> can't browse to the Windows Update site.
>>>>>
>>>>> "Richard Urban" wrote in message
>>>>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
>>>>>> This sounds surprisingly like the worm (called "Downadup" or
>>>>>> "Conficker") that has infected 9 million computers to date.
>>>>>> http://www.msnbc.msn.com/id/28708241/
>>>>>>
>>>>>> If so, shame for not installing your Window updates in a timely
>>>>>> fashion. There was a patch issued to prevent this in October.
>>>>>>
>>>>>> The latest version of the Microsoft Malicious Removal Tool, issued on
>>>>>> the 2nd Tuesday of this month, will clean this out. You DID get
>>>>>> January updates right? If so, search for mrt.exe and run the program
>>>>>> from your computer. It will remove this and you should be golden.
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Richard Urban
>>>>>> Microsoft MVP
>>>>>> Windows Desktop Experience
>>>>>>
>>>>>>
>>>>>> "John" wrote in message
>>>>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
>>>>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC
>>>>>>> w/ XP. Does anyone recopgnize this? I have Avira AntiVir, been
>>>>>>> updating it every day and scans don't detect anything.
>>>>>>>
>>>>>>> I am not able to browse to certain sites like avira.com, avg.com,
>>>>>>> and other anti-virus sites. With IE7 I get redirected to a Google
>>>>>>> page and w/ Firefox a "page load error" screen saying that the
>>>>>>> browser "failed to connect".
>>>>>>>
>>>>>>> If I type www.avira.com into IE7 I am redirected to a Google search
>>>>>>> page at this URL (I don't advise clicking it):
>>>>>>>
>>>>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
>>>>>>>
>>>>>>> If I click the link to avira.com from that page, it takes me to this
>>>>>>> URL (again, I don't advise clicking it):
>>>>>>>
>>>>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
>>>>>>>
>>>>>>> Then a page saying that I have security problems pops up, and
>>>>>>> prompts me to download security updates, and IE puts up a messsage
>>>>>>> bar saying that it has blocked the site from downloading files, as
>>>>>>> you can see in the screen capture here (feel free to click this
>>>>>>> one):
>>>>>>>
>>>>>>> http://productivitymuse.com/screenshot_090117.jpg
>>>>>>>
>>>>>>> The URL of the page in the screen capture is (don't click it):
>>>>>>>
>>>>>>> http://scan.antispyware-pro-scanner.com/243/3/
>>>>>>>
>>>>>>> Does anyone know what could be causing my browser to redirect like
>>>>>>> this and how to correct it?
>>>>>>>
>>>>>>> An adjunctive problem is that Spybot S&D won't start. When I click
>>>>>>> it, I get an hourglass for a few seconds and then nothing happens.
>>>>>>> When I go into Task Manager it does not show Spybot running.
>>>>>>>
>>>>>>> All of this started happening late Wenesday night (possibly after
>>>>>>> midnight) after the Windows Security Center popped up and told me
>>>>>>> that I had the zafi.b worm. A scan w/ AntiVir made detected and
>>>>>>> deleted some files and the zafi.b warnings went away, but obviously
>>>>>>> I still have something. I installed AVG as well, and it didn't find
>>>>>>> anything and wouldn't connect to the update server.
>>>>>>>
>>>>>>> Thanks for any advice.
>>>>>>>
>>>>>>> Here's some info on the registrant of the site that is trying to
>>>>>>> download files to my computer. Notice that the domain was just
>>>>>>> published on 1/15/09. The site is also self-hosted, which means that
>>>>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
>>>>>>> anything he wants on his server...
>>>>>>>
>>>>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
>>>>>>> Contact: +1.8662097142
>>>>>>>
>>>>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
>>>>>>>
>>>>>>> Registrant:
>>>>>>> N/A
>>>>>>> Deron Mott (deronmott@ymail.com)
>>>>>>> Fremont St. 91 21
>>>>>>> DETROIT
>>>>>>> Mississippi,48204
>>>>>>> US
>>>>>>> Tel. +131.433437
>>>>>>>
>>>>>>> Creation Date: 15-Jan-2009
>>>>>>> Expiration Date: 15-Jan-2010
>>>>>>>
>>>>>>> Domain servers in listed order:
>>>>>>> ns4.alvobs.com
>>>>>>> ns3.alvobs.com
>>>>>>> ns2.alvobs.com
>>>>>>> ns1.alvobs.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>
>
 
From: "John"

| Yes, I still don't have MRT and I will get the appropriate measures into
| place. Thank you.


Please stay far away from the fake MS MVP, software plagiarizer and software pirate who
directed you to PCBUTTS1.COM who is known as PCBUTTS1.

http://www.viruslist.com/en/weblog?weblogid=197597102
http://www.nutnworks.com/forums/showthread.php?p=10097
http://www.besttechie.net/2006/09/07/pcbutts1-back-at-it/

"He" is malicious, his software is malicious and his suggested software is a conglomerate
of stolen code and utilities that will block access to anti malware web sites and other
reputable web sites.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Liar and a troll
The Troll has gone crazy
http://pcbutts1-therealtruth.blogspot.com/
The truth about the David Lipman Troll
http://www.google.com/search?sourceid=navc...Extraordinaire+


--

*WARNING* Do NOT follow any advise given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue.
Do not waste your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos



"David H. Lipman" wrote in message
news:u7XpyBzgJHA.4880@TK2MSFTNGP02.phx.gbl...
> From: "John"
>
> | Yes, I still don't have MRT and I will get the appropriate measures into
> | place. Thank you.
>
>
> Please stay far away from the fake MS MVP, software plagiarizer and
> software pirate who
> directed you to PCBUTTS1.COM who is known as PCBUTTS1.
>
> http://www.viruslist.com/en/weblog?weblogid=197597102
> http://www.nutnworks.com/forums/showthread.php?p=10097
> http://www.besttechie.net/2006/09/07/pcbutts1-back-at-it/
>
> "He" is malicious, his software is malicious and his suggested software is
> a conglomerate
> of stolen code and utilities that will block access to anti malware web
> sites and other
> reputable web sites.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
So far in “Safe Mode†{F8} I have used the following programs to rid myself
of Win32.Zafi.B Virus.

The issues are when I load the operating system XP Professional & log in, I
get a box saying “Found virus Win32.Zafi.b†would you like to “Enable
Protection†Its Like firewall message box and also IE7 directs me to a site
to download Defender, and any other sites I have tried going to closes
automatically after 3-sec – 10secs back to my desktop.

The following I have ran in “Safe Mode†running full scans.

Malwarebytes Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

•SuperAntiSpyware
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

•Remove It http://pcbutts1.com/downloads/tools/tools.htm

completed & succesfully done full-scans, also have downloaded and install
from my memory stick the Microsoft Malicious Removal Tool;
http://www.microsoft.com/downloads/details...&displaylang=en in (Safe-Mode)

I still cannot rid of this virus!!. I know the simple way is to format
start again, but I am just one of those guys who don’t want these idiots to
win in the end, so any help or advice to try I am willing, if you can be
patient and offer me a victory! in this war.


Kind Regards


Brett.
 
From: "Brett"

| So far in “Safe Mode†{F8} I have used the following programs to rid myself
| of Win32.Zafi.B Virus.

| The issues are when I load the operating system XP Professional & log in, I
| get a box saying “Found virus Win32.Zafi.b†would you like to “Enable
| Protection†Its Like firewall message box and also IE7 directs me to a site
| to download Defender, and any other sites I have tried going to closes
| automatically after 3-sec – 10secs back to my desktop.

| The following I have ran in “Safe Mode†running full scans.

| Malwarebytes Anti-Malware
| http://www.malwarebytes.org/mbam/program/mbam-setup.exe

| •SuperAntiSpyware
| http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

| •Remove It http://pcbutts1.com/downloads/tools/tools.htm

| completed & succesfully done full-scans, also have downloaded and install
| from my memory stick the Microsoft Malicious Removal Tool;
| http://www.microsoft.com/downloads/details...E72D-4F54-9AB3-
| 75B8EB148356&displaylang=en in (Safe-Mode)

| I still cannot rid of this virus!!. I know the simple way is to format
| start again, but I am just one of those guys who don’t want these idiots to
| win in the end, so any help or advice to try I am willing, if you can be
| patient and offer me a victory! in this war.


| Kind Regards


| Brett.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
From: "Brett"

| So far in “Safe Mode†{F8} I have used the following programs to rid myself
| of Win32.Zafi.B Virus.

Use the McAfee and Sophos modules in the below Multi AV Scanning Tool.

Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/0...virus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.



* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Anybody that is a Troll is you. I ran your beloved program on a test machine and you
do alter the svchost file so as people cannot get to some reputable sites which
hour's is not. You are a thief and a story teller (said it diplomatically) and your
program that you push so hard is not what you say it is. A bunch of stolen material
that you put together and call it your own. Disgraceful

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"The Real Truth MVP" wrote in message
news:ycNgl.19250$Ws1.7173@nlpi064.nbdc.sbc.com...
> Liar and a troll
> The Troll has gone crazy
> http://pcbutts1-therealtruth.blogspot.com/
> The truth about the David Lipman Troll
> http://www.google.com/search?sourceid=navc...Extraordinaire+
>
>
> --
>
> *WARNING* Do NOT follow any advise given by the people listed below.
> They do NOT have the expertise or knowledge to fix your issue.
> Do not waste your time.
> David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos
>
>
>
> "David H. Lipman" wrote in message
> news:u7XpyBzgJHA.4880@TK2MSFTNGP02.phx.gbl...
>> From: "John"
>>
>> | Yes, I still don't have MRT and I will get the appropriate measures into
>> | place. Thank you.
>>
>>
>> Please stay far away from the fake MS MVP, software plagiarizer and software
>> pirate who
>> directed you to PCBUTTS1.COM who is known as PCBUTTS1.
>>
>> http://www.viruslist.com/en/weblog?weblogid=197597102
>> http://www.nutnworks.com/forums/showthread.php?p=10097
>> http://www.besttechie.net/2006/09/07/pcbutts1-back-at-it/
>>
>> "He" is malicious, his software is malicious and his suggested software is a
>> conglomerate
>> of stolen code and utilities that will block access to anti malware web sites and
>> other
>> reputable web sites.
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>
 
Your ignorance is showing along with your lack of knowledge. You don't know
the difference between host and svchosts. None of the sits in my hosts file
is reputable that is why it is in my hosts file you idiot.

--

*WARNING* Do NOT follow any advise given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue.
Do not waste your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos



"Peter Foldes" wrote in message
news:uZr2Zn1gJHA.500@TK2MSFTNGP06.phx.gbl...
> Anybody that is a Troll is you. I ran your beloved program on a test
> machine and you do alter the svchost file so as people cannot get to some
> reputable sites which hour's is not. You are a thief and a story teller
> (said it diplomatically) and your program that you push so hard is not
> what you say it is. A bunch of stolen material that you put together and
> call it your own. Disgraceful
>
> --
> Peter
>
> Please Reply to Newsgroup for the benefit of others
> Requests for assistance by email can not and will not be acknowledged.
>
> "The Real Truth MVP" wrote in message
> news:ycNgl.19250$Ws1.7173@nlpi064.nbdc.sbc.com...
>> Liar and a troll
>> The Troll has gone crazy
>> http://pcbutts1-therealtruth.blogspot.com/
>> The truth about the David Lipman Troll
>> http://www.google.com/search?sourceid=navc...Extraordinaire+
>>
>>
>> --
>>
>> *WARNING* Do NOT follow any advise given by the people listed below.
>> They do NOT have the expertise or knowledge to fix your issue.
>> Do not waste your time.
>> David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos
>>
>>
>>
>> "David H. Lipman" wrote in message
>> news:u7XpyBzgJHA.4880@TK2MSFTNGP02.phx.gbl...
>>> From: "John"
>>>
>>> | Yes, I still don't have MRT and I will get the appropriate measures
>>> into
>>> | place. Thank you.
>>>
>>>
>>> Please stay far away from the fake MS MVP, software plagiarizer and
>>> software pirate who
>>> directed you to PCBUTTS1.COM who is known as PCBUTTS1.
>>>
>>> http://www.viruslist.com/en/weblog?weblogid=197597102
>>> http://www.nutnworks.com/forums/showthread.php?p=10097
>>> http://www.besttechie.net/2006/09/07/pcbutts1-back-at-it/
>>>
>>> "He" is malicious, his software is malicious and his suggested software
>>> is a conglomerate
>>> of stolen code and utilities that will block access to anti malware web
>>> sites and other
>>> reputable web sites.
>>>
>>> --
>>> Dave
>>> http://www.claymania.com/removal-trojan-adware.html
>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>>
>>>
>>
>
 
Was a typo but you got what I meant.

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"The Real Truth MVP" wrote in message
news:3O%gl.3461$%54.908@nlpi070.nbdc.sbc.com...
> Your ignorance is showing along with your lack of knowledge. You don't know the
> difference between host and svchosts. None of the sits in my hosts file is
> reputable that is why it is in my hosts file you idiot.
>
> --
>
> *WARNING* Do NOT follow any advise given by the people listed below.
> They do NOT have the expertise or knowledge to fix your issue.
> Do not waste your time.
> David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos
>
>
>
> "Peter Foldes" wrote in message
> news:uZr2Zn1gJHA.500@TK2MSFTNGP06.phx.gbl...
>> Anybody that is a Troll is you. I ran your beloved program on a test machine and
>> you do alter the svchost file so as people cannot get to some reputable sites
>> which hour's is not. You are a thief and a story teller (said it diplomatically)
>> and your program that you push so hard is not what you say it is. A bunch of
>> stolen material that you put together and call it your own. Disgraceful
>>
>> --
>> Peter
>>
>> Please Reply to Newsgroup for the benefit of others
>> Requests for assistance by email can not and will not be acknowledged.
>>
>> "The Real Truth MVP" wrote in message
>> news:ycNgl.19250$Ws1.7173@nlpi064.nbdc.sbc.com...
>>> Liar and a troll
>>> The Troll has gone crazy
>>> http://pcbutts1-therealtruth.blogspot.com/
>>> The truth about the David Lipman Troll
>>> http://www.google.com/search?sourceid=navc...Extraordinaire+
>>>
>>>
>>> --
>>>
>>> *WARNING* Do NOT follow any advise given by the people listed below.
>>> They do NOT have the expertise or knowledge to fix your issue.
>>> Do not waste your time.
>>> David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos
>>>
>>>
>>>
>>> "David H. Lipman" wrote in message
>>> news:u7XpyBzgJHA.4880@TK2MSFTNGP02.phx.gbl...
>>>> From: "John"
>>>>
>>>> | Yes, I still don't have MRT and I will get the appropriate measures into
>>>> | place. Thank you.
>>>>
>>>>
>>>> Please stay far away from the fake MS MVP, software plagiarizer and software
>>>> pirate who
>>>> directed you to PCBUTTS1.COM who is known as PCBUTTS1.
>>>>
>>>> http://www.viruslist.com/en/weblog?weblogid=197597102
>>>> http://www.nutnworks.com/forums/showthread.php?p=10097
>>>> http://www.besttechie.net/2006/09/07/pcbutts1-back-at-it/
>>>>
>>>> "He" is malicious, his software is malicious and his suggested software is a
>>>> conglomerate
>>>> of stolen code and utilities that will block access to anti malware web sites
>>>> and other
>>>> reputable web sites.
>>>>
>>>> --
>>>> Dave
>>>> http://www.claymania.com/removal-trojan-adware.html
>>>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>>>
>>>>
>>>
>>
>
 
Thanks Tom. I have MRT installed now and did a scan with it. It didn't find
anything.

Does MRT ever run in the background or does it always have to be launched
manually?

I do see MRT in my WAU history, so I've downloaded but for some reason it
was never installed or run.


"Tom [Pepper] Willett" wrote in message
news:udX9c%23xgJHA.3812@TK2MSFTNGP04.phx.gbl...
> It's not in the download center.
>
> http://www.microsoft.com/security/malwareremove/default.mspx
>
> "John" wrote in message
> news:%23$vtHrxgJHA.4408@TK2MSFTNGP06.phx.gbl...
> :I searched the Microsoft download center and didn't find it.
> :
> :
> : "Bill Sanderson" wrote in message
> : news:F7C2E89E-BD65-43AF-999F-8A6293ABE16D@microsoft.com...
> : > You should have MRT.EXE in windowssystem32.
> : >
> : > If you don't have it at all, your system is not getting all critical
> : > updates, which it should be. If you have it, but the date is not
> January
> : > , get the current one from Microsoft--search on "malicious software
> : > removal tool download details"
> : >
> : >
> : >
> : > "John" wrote in message
> : > news:eo8z8kTeJHA.4040@TK2MSFTNGP03.phx.gbl...
> : >> I actually d/l all updates as soon as prompted. I actually just got
> some
> : >> updates within the past week. I just changed it to d/l automatically
> at
> : >> 2a.m. I'll look for that file. Currently, a complete search of my C
> drive
> : >> does not find it. Thanks.
> : >>
> : >>
> : >> "Richard Urban" wrote in message
> : >> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
> : >>> This sounds surprisingly like the worm (called "Downadup" or
> : >>> "Conficker") that has infected 9 million computers to date.
> : >>> http://www.msnbc.msn.com/id/28708241/
> : >>>
> : >>> If so, shame for not installing your Window updates in a timely
> fashion.
> : >>> There was a patch issued to prevent this in October.
> : >>>
> : >>> The latest version of the Microsoft Malicious Removal Tool, issued
> on
> : >>> the 2nd Tuesday of this month, will clean this out. You DID get
> January
> : >>> updates right? If so, search for mrt.exe and run the program from
> your
> : >>> computer. It will remove this and you should be golden.
> : >>>
> : >>>
> : >>> --
> : >>>
> : >>> Richard Urban
> : >>> Microsoft MVP
> : >>> Windows Desktop Experience
> : >>>
> : >>>
> : >>> "John" wrote in message
> : >>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
> : >>>> I seem to have some kind of malware affecting IE7 & Firefox on my
> PC
> w/
> : >>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been
> updating
> it
> : >>>> every day and scans don't detect anything.
> : >>>>
> : >>>> I am not able to browse to certain sites like avira.com, avg.com,
> and
> : >>>> other anti-virus sites. With IE7 I get redirected to a Google page
> and
> : >>>> w/ Firefox a "page load error" screen saying that the browser
> "failed
> : >>>> to connect".
> : >>>>
> : >>>> If I type www.avira.com into IE7 I am redirected to a Google search
> : >>>> page at this URL (I don't advise clicking it):
> : >>>>
> : >>>>
> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
> : >>>>
> : >>>> If I click the link to avira.com from that page, it takes me to
> this
> : >>>> URL (again, I don't advise clicking it):
> : >>>>
> : >>>>
> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
> : >>>>
> : >>>> Then a page saying that I have security problems pops up, and
> prompts
> : >>>> me to download security updates, and IE puts up a messsage bar
> saying
> : >>>> that it has blocked the site from downloading files, as you can see
> in
> : >>>> the screen capture here (feel free to click this one):
> : >>>>
> : >>>> http://productivitymuse.com/screenshot_090117.jpg
> : >>>>
> : >>>> The URL of the page in the screen capture is (don't click it):
> : >>>>
> : >>>> http://scan.antispyware-pro-scanner.com/243/3/
> : >>>>
> : >>>> Does anyone know what could be causing my browser to redirect like
> this
> : >>>> and how to correct it?
> : >>>>
> : >>>> An adjunctive problem is that Spybot S&D won't start. When I click
> it,
> : >>>> I get an hourglass for a few seconds and then nothing happens. When
> I
> : >>>> go into Task Manager it does not show Spybot running.
> : >>>>
> : >>>> All of this started happening late Wenesday night (possibly after
> : >>>> midnight) after the Windows Security Center popped up and told me
> that
> : >>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted
> some
> : >>>> files and the zafi.b warnings went away, but obviously I still have
> : >>>> something. I installed AVG as well, and it didn't find anything and
> : >>>> wouldn't connect to the update server.
> : >>>>
> : >>>> Thanks for any advice.
> : >>>>
> : >>>> Here's some info on the registrant of the site that is trying to
> : >>>> download files to my computer. Notice that the domain was just
> : >>>> published on 1/15/09. The site is also self-hosted, which means
> that
> : >>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
> : >>>> anything he wants on his server...
> : >>>>
> : >>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
> : >>>> Contact: +1.8662097142
> : >>>>
> : >>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
> : >>>>
> : >>>> Registrant:
> : >>>> N/A
> : >>>> Deron Mott (deronmott@ymail.com)
> : >>>> Fremont St. 91 21
> : >>>> DETROIT
> : >>>> Mississippi,48204
> : >>>> US
> : >>>> Tel. +131.433437
> : >>>>
> : >>>> Creation Date: 15-Jan-2009
> : >>>> Expiration Date: 15-Jan-2010
> : >>>>
> : >>>> Domain servers in listed order:
> : >>>> ns4.alvobs.com
> : >>>> ns3.alvobs.com
> : >>>> ns2.alvobs.com
> : >>>> ns1.alvobs.com
> : >>>>
> : >>>>
> : >>>>
> : >>>>
> : >>>>
> : >>>>
> : >>
> : >>
> : >
> : >
> : > --
> : >
> : >
> :
> :
>
>
 
From: "John"

| Thanks Tom. I have MRT installed now and did a scan with it. It didn't find
| anything.

| Does MRT ever run in the background or does it always have to be launched
| manually?

| I do see MRT in my WAU history, so I've downloaded but for some reason it
| was never installed or run.

A new version is downloaded, installed and runs a scan once per month via auto updates.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
I think this is the same problem I have on one of my computers. Whilst on
the internet an app inserted itself without asking and told me I had viruses,
such as trojan, and others. Then the app insisted that I download the
removal and fix tool. Now that computer does not load windows properly, it
essntially doesn't work at all, all I get is music and a black screen. In
safe mode it tells me that some windows setup files are missing. I tried to
reinstall them with the system recovery tools disk, but the computer seems to
go into a loop. How can I "fix" this mess without using system recovery?

"The Real Truth MVP" wrote:

> Use my Remove-it software, it will remove that malware from your system.
> Choose yes for all options when prompted. Download it here
> http://pcbutts1.com/downloads/tools/tools.htm
>
> --
> The Real Truth http://pcbutts1-therealtruth.blogspot.com/
>
>
>
>
> "John" wrote in message
> news:ev4VmCygJHA.1288@TK2MSFTNGP02.phx.gbl...
> > Yes, I still don't have MRT and I will get the appropriate measures into
> > place. Thank you.
> >
> >
> > "Richard Urban" wrote in message
> > news:O2kwyyKfJHA.1252@TK2MSFTNGP03.phx.gbl...
> >>I heartedly suggest that you allow the updates to be installed
> >>automatically, at whatever time you choose. Otherwise you may not be at
> >>the computer to see the prompt telling you to install them NOW! You
> >>obviously did not have an up to date system and were vulnerable - as you
> >>have found out.
> >>
> >>
> >> --
> >>
> >>
> >> Richard Urban
> >> Microsoft MVP
> >> Windows Desktop Experience
> >>
> >>
> >> "John" wrote in message
> >> news:uZeURHVeJHA.5420@TK2MSFTNGP02.phx.gbl...
> >>> Actually, MBAM worked. However, to get it to work I had to...
> >>>
> >>> Go to Start > Control Panel > Folder Options and set it to show hidden
> >>> file types, and not to hide extensions or system files
> >>>
> >>> rename the installer
> >>>
> >>> install it in safe mode
> >>>
> >>> reboot in normal mode
> >>>
> >>> right-click the desktop icon and find the path to the MBAM target
> >>> executable
> >>>
> >>> browse to and rename the target executable and double-click on it
> >>>
> >>> After that all I had to do was reboot after it was finished and then
> >>> connect to the update server and I did get some updates, which means I
> >>> should probably run it again.
> >>>
> >>> Thanks everyone. Your help is priceless and you provide an amazing
> >>> resource.
> >>>
> >>>
> >>> "Richard Urban" wrote in message
> >>> news:e0PAtLUeJHA.5288@TK2MSFTNGP03.phx.gbl...
> >>>> Here is the download link I forgot to post.
> >>>> http://www.microsoft.com/downloads/details...&displaylang=en
> >>>>
> >>>> --
> >>>>
> >>>> Richard Urban
> >>>> Microsoft MVP
> >>>> Windows Desktop Experience
> >>>>
> >>>>
> >>>> "John" wrote in message
> >>>> news:#XdA7sTeJHA.6012@TK2MSFTNGP02.phx.gbl...
> >>>>> Hmmm...
> >>>>>
> >>>>> Well I set Automatic Update to run at 2am and I guess I'm not supposed
> >>>>> to be prompted but I still don't have a file called mrt.exe. I also
> >>>>> can't browse to the Windows Update site.
> >>>>>
> >>>>> "Richard Urban" wrote in message
> >>>>> news:Okhl3SQeJHA.1272@TK2MSFTNGP04.phx.gbl...
> >>>>>> This sounds surprisingly like the worm (called "Downadup" or
> >>>>>> "Conficker") that has infected 9 million computers to date.
> >>>>>> http://www.msnbc.msn.com/id/28708241/
> >>>>>>
> >>>>>> If so, shame for not installing your Window updates in a timely
> >>>>>> fashion. There was a patch issued to prevent this in October.
> >>>>>>
> >>>>>> The latest version of the Microsoft Malicious Removal Tool, issued on
> >>>>>> the 2nd Tuesday of this month, will clean this out. You DID get
> >>>>>> January updates right? If so, search for mrt.exe and run the program
> >>>>>> from your computer. It will remove this and you should be golden.
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>> Richard Urban
> >>>>>> Microsoft MVP
> >>>>>> Windows Desktop Experience
> >>>>>>
> >>>>>>
> >>>>>> "John" wrote in message
> >>>>>> news:uzd5YbNeJHA.5344@TK2MSFTNGP05.phx.gbl...
> >>>>>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC
> >>>>>>> w/ XP. Does anyone recopgnize this? I have Avira AntiVir, been
> >>>>>>> updating it every day and scans don't detect anything.
> >>>>>>>
> >>>>>>> I am not able to browse to certain sites like avira.com, avg.com,
> >>>>>>> and other anti-virus sites. With IE7 I get redirected to a Google
> >>>>>>> page and w/ Firefox a "page load error" screen saying that the
> >>>>>>> browser "failed to connect".
> >>>>>>>
> >>>>>>> If I type www.avira.com into IE7 I am redirected to a Google search
> >>>>>>> page at this URL (I don't advise clicking it):
> >>>>>>>
> >>>>>>> http://www.google.com/search?q=www.avira.c...ex=&startPage=1
> >>>>>>>
> >>>>>>> If I click the link to avira.com from that page, it takes me to this
> >>>>>>> URL (again, I don't advise clicking it):
> >>>>>>>
> >>>>>>> http://go.google.com/?u=00a3f63266b79fba14...d=v300&mppc=234
> >>>>>>>
> >>>>>>> Then a page saying that I have security problems pops up, and
> >>>>>>> prompts me to download security updates, and IE puts up a messsage
> >>>>>>> bar saying that it has blocked the site from downloading files, as
> >>>>>>> you can see in the screen capture here (feel free to click this
> >>>>>>> one):
> >>>>>>>
> >>>>>>> http://productivitymuse.com/screenshot_090117.jpg
> >>>>>>>
> >>>>>>> The URL of the page in the screen capture is (don't click it):
> >>>>>>>
> >>>>>>> http://scan.antispyware-pro-scanner.com/243/3/
> >>>>>>>
> >>>>>>> Does anyone know what could be causing my browser to redirect like
> >>>>>>> this and how to correct it?
> >>>>>>>
> >>>>>>> An adjunctive problem is that Spybot S&D won't start. When I click
> >>>>>>> it, I get an hourglass for a few seconds and then nothing happens.
> >>>>>>> When I go into Task Manager it does not show Spybot running.
> >>>>>>>
> >>>>>>> All of this started happening late Wenesday night (possibly after
> >>>>>>> midnight) after the Windows Security Center popped up and told me
> >>>>>>> that I had the zafi.b worm. A scan w/ AntiVir made detected and
> >>>>>>> deleted some files and the zafi.b warnings went away, but obviously
> >>>>>>> I still have something. I installed AVG as well, and it didn't find
> >>>>>>> anything and wouldn't connect to the update server.
> >>>>>>>
> >>>>>>> Thanks for any advice.
> >>>>>>>
> >>>>>>> Here's some info on the registrant of the site that is trying to
> >>>>>>> download files to my computer. Notice that the domain was just
> >>>>>>> published on 1/15/09. The site is also self-hosted, which means that
> >>>>>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
> >>>>>>> anything he wants on his server...
> >>>>>>>
> >>>>>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
> >>>>>>> Contact: +1.8662097142
> >>>>>>>
> >>>>>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
> >>>>>>>
> >>>>>>> Registrant:
> >>>>>>> N/A
> >>>>>>> Deron Mott (deronmott@ymail.com)
> >>>>>>> Fremont St. 91 21
> >>>>>>> DETROIT
> >>>>>>> Mississippi,48204
> >>>>>>> US
> >>>>>>> Tel. +131.433437
> >>>>>>>
> >>>>>>> Creation Date: 15-Jan-2009
> >>>>>>> Expiration Date: 15-Jan-2010
> >>>>>>>
> >>>>>>> Domain servers in listed order:
> >>>>>>> ns4.alvobs.com
> >>>>>>> ns3.alvobs.com
> >>>>>>> ns2.alvobs.com
> >>>>>>> ns1.alvobs.com
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >>
> >
> >
>
>
 
Rocky wrote:

> I think this is the same problem I have on one of my computers. Whilst on
> the internet an app inserted itself without asking and told me I had
> viruses,
> such as trojan, and others. Then the app insisted that I download the
> removal and fix tool. Now that computer does not load windows properly,
> it
> essntially doesn't work at all, all I get is music and a black screen. In
> safe mode it tells me that some windows setup files are missing. I tried
> to reinstall them with the system recovery tools disk, but the computer
> seems to
> go into a loop. How can I "fix" this mess without using system recovery?

You may not be able to. The first thing to do is back up any data that
didn't make it into your regular backups. The best way to do this is with a
Linux Live CD and an external hard drive or USB thumb drive. I like
Knoppix, but there are others.

Unfortunately, you really need to clean up the machine before you can even
attempt to repair the system. If Windows won't run at all, then honestly
the best thing to do is to clean-install Windows. You can try running
antivirus/malware-removal tools from a rescue disk like a Bart's PE but
it's going to be hard and even then, you may not be able to get it cleaned
up enough to run a Repair Install.

http://www.michaelstevenstech.com/XPrepairinstall.htm - Repair Install
How-To
http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/page2....talling_Windows - What
you will need on-hand

You know your own skills best.

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
http://www.elephantboycomputers.com/#FAQ
 
You must log in or register to reply here.

Similar threads

E
IE7 urgent
Replies
4
Views
162
Tom [Pepper] Willett
T
J
Re: VISTA - IE7 SECURITY CERTIFICATE ERROR
Replies
0
Views
159
jimcoufal
J
B
Re: Malware and Botnets
Replies
0
Views
128
~BD~
B
P
Help with possible virus/malware/spyware infection
Replies
10
Views
401
David H. Lipman
D
P
Re: IE7/Vista Problem
Replies
5
Views
344
PA Bear [MS MVP]
P
Back
Top