Re: malware affecting IE7 on XP

I for one take exceptioin by your 'shame' comment with regards to not keeping
the virus definitions on our software up to date. I check daily and am
sitting here with a computer that seems to be infected with this same virus.
How did this virus install and run on a computer with newly installed Vista,
Live one Care and Defender? At least twice a week, I do manual virus scans
and check for updates as well as the programmed daily scans. This virus is
exploiting windows vulnerabilities so don't dump this on Windows users
failing to keep our anti-virus software up to date. Even with the latest
definition running, I still got locked out of my laptop this morning.

In case it helps anyone, I booted into safe mode with network access and am
now running the recommended MSR tool. It's been running for 4.5 hours and
still hasn't found this bloody virus........... will keep you posted if I
have any luck.

Cheers
Lesia

"Richard Urban" wrote:

This sounds surprisingly like the worm (called "Downadup" or "Conficker")
that has infected 9 million computers to date.
http://www.msnbc.msn.com/id/28708241/

If so, shame for not installing your Window updates in a timely fashion.
There was a patch issued to prevent this in October.

The latest version of the Microsoft Malicious Removal Tool, issued on the
2nd Tuesday of this month, will clean this out. You DID get January updates
right? If so, search for mrt.exe and run the program from your computer. It
will remove this and you should be golden.


--

Richard Urban
Microsoft MVP
Windows Desktop Experience


"John" <noreply@xxxxxxxxxxx> wrote in message
news:uzd5YbNeJHA.5344@xxxxxxxxxxxxxxxxxxxxxxx
I seem to have some kind of malware affecting IE7 & Firefox on my PC w/
XP. Does anyone recopgnize this? I have Avira AntiVir, been updating it
every day and scans don't detect anything.

I am not able to browse to certain sites like avira.com, avg.com, and
other anti-virus sites. With IE7 I get redirected to a Google page and w/
Firefox a "page load error" screen saying that the browser "failed to
connect".

If I type www.avira.com into IE7 I am redirected to a Google search page
at this URL (I don't advise clicking it):

http://www.google.com/search?q=www.avira.com&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1

If I click the link to avira.com from that page, it takes me to this URL
(again, I don't advise clicking it):

http://go.google.com/?u=00a3f63266b79fba1460d70932ff%3Dc%3Fphp.kcilc%2F84.822.19.77&bid=0.027225&aid=61&said=v300&mppc=234

Then a page saying that I have security problems pops up, and prompts me
to download security updates, and IE puts up a messsage bar saying that it
has blocked the site from downloading files, as you can see in the screen
capture here (feel free to click this one):

http://productivitymuse.com/screenshot_090117.jpg

The URL of the page in the screen capture is (don't click it):

http://scan.antispyware-pro-scanner.com/243/3/

Does anyone know what could be causing my browser to redirect like this
and how to correct it?

An adjunctive problem is that Spybot S&D won't start. When I click it, I
get an hourglass for a few seconds and then nothing happens. When I go
into Task Manager it does not show Spybot running.

All of this started happening late Wenesday night (possibly after
midnight) after the Windows Security Center popped up and told me that I
had the zafi.b worm. A scan w/ AntiVir made detected and deleted some
files and the zafi.b warnings went away, but obviously I still have
something. I installed AVG as well, and it didn't find anything and
wouldn't connect to the update server.

Thanks for any advice.

Here's some info on the registrant of the site that is trying to download
files to my computer. Notice that the domain was just published on
1/15/09. The site is also self-hosted, which means that Mr. Mott from
Detroit Michigan 48204 (not Mississippi) can have anything he wants on his
server...

Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
Contact: +1.8662097142

Domain Name: ANTISPYWARE-PRO-SCANNER.COM

Registrant:
N/A
Deron Mott (deronmott@xxxxxxxxx)
Fremont St. 91 21
DETROIT
Mississippi,48204
US
Tel. +131.433437

Creation Date: 15-Jan-2009
Expiration Date: 15-Jan-2010

Domain servers in listed order:
ns4.alvobs.com
ns3.alvobs.com
ns2.alvobs.com
ns1.alvobs.com







.

Relevant Pages

  • Re: Since January 18th, no high-priority updates...
    ... Since I do not intend to install NIS 2006 again, I thought it does not matter ... I checked about what you say (time of the Automatic Updates) and changed it ... I uninstalled NIS 2006... ... 2 February 2006 Windows Update Agent Unable to Connect: ...
    (microsoft.public.windowsupdate)
  • Re: no signal error
    ... from biosupdate to the other updates. ... And also when i finally get into windows and just doing regular tasks as ... Select "review and install updates" and "install ... If you removed any softwares in step 7, restart computer. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Latest Update Wreaked Havok - Cannot Restore
    ... track of what you install in order to be able to uninstall it. ... been diligent with your critical updates, ... Windows Update ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Windows updates fail after install of SP2
    ... I'm sure I didn't delete any log files since my last update though; especially anything to do with Windows Update. ... Are the updates now showing in Add/Remove Programs in the Control ... I thought I would turn automatic updates on so that it would automatically download and install updates but that didn't seem to do anything either. ... The issue of updates not being offered after the application of SP2 is a new twist on an old theme ... ...
    (microsoft.public.windowsupdate)
  • Re: Windows 98 box is "owned"
    ... Microsoft officially is no longer issuing *new* updates for Windos 98, ... on Windows update, although you will find all the "critical" (as defined ... Perhaps it is time to say screw it and install ... You noted that your mother has ZA. ...
    (Security-Basics)
Quantcast