malware affecting IE7 on XP

Discussion in 'Virus Information' started by John, Jan 17, 2009.

  1. I heartedly suggest that you allow the updates to be installed
    automatically, at whatever time you choose. Otherwise you may not be at the
    computer to see the prompt telling you to install them NOW! You obviously
    did not have an up to date system and were vulnerable - as you have found
    out.


    --


    Richard Urban
    Microsoft MVP
    Windows Desktop Experience
     
    Richard Urban, Jan 22, 2009
    #21
    1. Advertisements

  2. John

    mo3here Guest

    I for one take exceptioin by your 'shame' comment with regards to not keeping
    the virus definitions on our software up to date. I check daily and am
    sitting here with a computer that seems to be infected with this same virus.
    How did this virus install and run on a computer with newly installed Vista,
    Live one Care and Defender? At least twice a week, I do manual virus scans
    and check for updates as well as the programmed daily scans. This virus is
    exploiting windows vulnerabilities so don't dump this on Windows users
    failing to keep our anti-virus software up to date. Even with the latest
    definition running, I still got locked out of my laptop this morning.

    In case it helps anyone, I booted into safe mode with network access and am
    now running the recommended MSR tool. It's been running for 4.5 hours and
    still hasn't found this bloody virus........... will keep you posted if I
    have any luck.

    Cheers
    Lesia
     
    mo3here, Jan 24, 2009
    #22
    1. Advertisements

  3. From: "mo3here" <>

    | I for one take exceptioin by your 'shame' comment with regards to not keeping
    | the virus definitions on our software up to date. I check daily and am
    | sitting here with a computer that seems to be infected with this same virus.
    | How did this virus install and run on a computer with newly installed Vista,
    | Live one Care and Defender? At least twice a week, I do manual virus scans
    | and check for updates as well as the programmed daily scans. This virus is
    | exploiting windows vulnerabilities so don't dump this on Windows users
    | failing to keep our anti-virus software up to date. Even with the latest
    | definition running, I still got locked out of my laptop this morning.

    | In case it helps anyone, I booted into safe mode with network access and am
    | now running the recommended MSR tool. It's been running for 4.5 hours and
    | still hasn't found this bloody virus........... will keep you posted if I
    | have any luck.

    | Cheers
    | Lesia


    You are assuming you are infected with the same malware and there is no evidence, that you
    have provided, that you have a virus.

    Instead of hijacking someone else's thread (and takeing exception to what was posted) you
    should create tyour own thread and fully provide the information on the problems YOU are
    experiencing that leads you to believe your PC is infected.
     
    David H. Lipman, Jan 24, 2009
    #23
  4. Worm, actually. If indeed we are talking about Conficker.
    Viruses don't as a rule 'install' - they 'infect' programs as a means to
    execute again and spread to yet again another program when executed.
    Recursively replicating by attaching to code.
    Not sure about this one, but many exploit based malwares make changes
    to the system before any 'file' scanner has a file to scan. The exploit
    allows
    the malware to execute within the guise (and security context) of the
    hosting
    program.

    ....besides, a new variant of a particular malware may go unnoticed by the
    scanner even if it does become a 'file' on the filesystem. You can't really
    depend on any scanner to catch everything it 'knows' about - let alone
    those it doesn't 'know' about yet.
    The 'shame' would be in not patching the vulnerability in a timely manner.
    ....and I'm not saying with whom the 'shame' should be. The latest variant
    has added a weak password vector as well as some others - and the
    'vulnerability' there is human.

    Worms and viruses have a way of getting past even the best security.
     
    FromTheRafters, Jan 24, 2009
    #24
  5. John

    John Guest

    I searched the Microsoft download center and didn't find it.
     
    John, Jan 30, 2009
    #25
  6. It's not in the download center.

    http://www.microsoft.com/security/malwareremove/default.mspx

    :I searched the Microsoft download center and didn't find it.
    :
    :
    : : > You should have MRT.EXE in \windows\system32.
    : >
    : > If you don't have it at all, your system is not getting all critical
    : > updates, which it should be. If you have it, but the date is not
    January
    : > , get the current one from Microsoft--search on "malicious software
    : > removal tool download details"
    : >
    : >
    : >
    : > : >> I actually d/l all updates as soon as prompted. I actually just got
    some
    : >> updates within the past week. I just changed it to d/l automatically at
    : >> 2a.m. I'll look for that file. Currently, a complete search of my C
    drive
    : >> does not find it. Thanks.
    : >>
    : >>
    : >> : >>> This sounds surprisingly like the worm (called "Downadup" or
    : >>> "Conficker") that has infected 9 million computers to date.
    : >>> http://www.msnbc.msn.com/id/28708241/
    : >>>
    : >>> If so, shame for not installing your Window updates in a timely
    fashion.
    : >>> There was a patch issued to prevent this in October.
    : >>>
    : >>> The latest version of the Microsoft Malicious Removal Tool, issued on
    : >>> the 2nd Tuesday of this month, will clean this out. You DID get
    January
    : >>> updates right? If so, search for mrt.exe and run the program from your
    : >>> computer. It will remove this and you should be golden.
    : >>>
    : >>>
    : >>> --
    : >>>
    : >>> Richard Urban
    : >>> Microsoft MVP
    : >>> Windows Desktop Experience
    : >>>
    : >>>
    : >>> : >>>> I seem to have some kind of malware affecting IE7 & Firefox on my PC
    w/
    : >>>> XP. Does anyone recopgnize this? I have Avira AntiVir, been updating
    it
    : >>>> every day and scans don't detect anything.
    : >>>>
    : >>>> I am not able to browse to certain sites like avira.com, avg.com, and
    : >>>> other anti-virus sites. With IE7 I get redirected to a Google page
    and
    : >>>> w/ Firefox a "page load error" screen saying that the browser "failed
    : >>>> to connect".
    : >>>>
    : >>>> If I type www.avira.com into IE7 I am redirected to a Google search
    : >>>> page at this URL (I don't advise clicking it):
    : >>>>
    : >>>>
    http://www.google.com/search?q=www.avira.com&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
    : >>>>
    : >>>> If I click the link to avira.com from that page, it takes me to this
    : >>>> URL (again, I don't advise clicking it):
    : >>>>
    : >>>>
    http://go.google.com/?u=00a3f63266b79fba1460d70932ff%3Dc%3Fphp.kcilc%2F84.822.19.77&bid=0.027225&aid=61&said=v300&mppc=234
    : >>>>
    : >>>> Then a page saying that I have security problems pops up, and prompts
    : >>>> me to download security updates, and IE puts up a messsage bar saying
    : >>>> that it has blocked the site from downloading files, as you can see
    in
    : >>>> the screen capture here (feel free to click this one):
    : >>>>
    : >>>> http://productivitymuse.com/screenshot_090117.jpg
    : >>>>
    : >>>> The URL of the page in the screen capture is (don't click it):
    : >>>>
    : >>>> http://scan.antispyware-pro-scanner.com/243/3/
    : >>>>
    : >>>> Does anyone know what could be causing my browser to redirect like
    this
    : >>>> and how to correct it?
    : >>>>
    : >>>> An adjunctive problem is that Spybot S&D won't start. When I click
    it,
    : >>>> I get an hourglass for a few seconds and then nothing happens. When I
    : >>>> go into Task Manager it does not show Spybot running.
    : >>>>
    : >>>> All of this started happening late Wenesday night (possibly after
    : >>>> midnight) after the Windows Security Center popped up and told me
    that
    : >>>> I had the zafi.b worm. A scan w/ AntiVir made detected and deleted
    some
    : >>>> files and the zafi.b warnings went away, but obviously I still have
    : >>>> something. I installed AVG as well, and it didn't find anything and
    : >>>> wouldn't connect to the update server.
    : >>>>
    : >>>> Thanks for any advice.
    : >>>>
    : >>>> Here's some info on the registrant of the site that is trying to
    : >>>> download files to my computer. Notice that the domain was just
    : >>>> published on 1/15/09. The site is also self-hosted, which means that
    : >>>> Mr. Mott from Detroit Michigan 48204 (not Mississippi) can have
    : >>>> anything he wants on his server...
    : >>>>
    : >>>> Registration Service Provided By: ALVO BUSINESS SOLUTIONS, CORP.
    : >>>> Contact: +1.8662097142
    : >>>>
    : >>>> Domain Name: ANTISPYWARE-PRO-SCANNER.COM
    : >>>>
    : >>>> Registrant:
    : >>>> N/A
    : >>>> Deron Mott ()
    : >>>> Fremont St. 91 21
    : >>>> DETROIT
    : >>>> Mississippi,48204
    : >>>> US
    : >>>> Tel. +131.433437
    : >>>>
    : >>>> Creation Date: 15-Jan-2009
    : >>>> Expiration Date: 15-Jan-2010
    : >>>>
    : >>>> Domain servers in listed order:
    : >>>> ns4.alvobs.com
    : >>>> ns3.alvobs.com
    : >>>> ns2.alvobs.com
    : >>>> ns1.alvobs.com
    : >>>>
    : >>>>
    : >>>>
    : >>>>
    : >>>>
    : >>>>
    : >>
    : >>
    : >
    : >
    : > --
    : >
    : >
    :
    :
     
    Tom [Pepper] Willett, Jan 30, 2009
    #26
  7. John

    John Guest

    Yes, I still don't have MRT and I will get the appropriate measures into
    place. Thank you.
     
    John, Jan 30, 2009
    #27
  8. Use my Remove-it software, it will remove that malware from your system.
    Choose yes for all options when prompted. Download it here
    http://pcbutts1.com/downloads/tools/tools.htm
     
    The Real Truth MVP, Jan 30, 2009
    #28
  9. From: "John" <>

    | Yes, I still don't have MRT and I will get the appropriate measures into
    | place. Thank you.


    Please stay far away from the fake MS MVP, software plagiarizer and software pirate who
    directed you to PCBUTTS1.COM who is known as PCBUTTS1.

    http://www.viruslist.com/en/weblog?weblogid=197597102
    http://www.nutnworks.com/forums/showthread.php?p=10097
    http://www.besttechie.net/2006/09/07/pcbutts1-back-at-it/

    "He" is malicious, his software is malicious and his suggested software is a conglomerate
    of stolen code and utilities that will block access to anti malware web sites and other
    reputable web sites.
     
    David H. Lipman, Jan 30, 2009
    #29
  10. Liar and a troll
    The Troll has gone crazy
    http://pcbutts1-therealtruth.blogspot.com/
    The truth about the David Lipman Troll
    http://www.google.com/search?sourceid=navclient&ie=UTF-8&rlz=1T4SUNA_enUS264US265&q=David+H%2e+Lipman+Troll+Extraordinaire+


    --

    *WARNING* Do NOT follow any advise given by the people listed below.
    They do NOT have the expertise or knowledge to fix your issue.
    Do not waste your time.
    David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos
     
    The Real Truth MVP, Jan 31, 2009
    #30
  11. John

    Brett Guest

    So far in “Safe Mode†{F8} I have used the following programs to rid myself
    of Win32.Zafi.B Virus.

    The issues are when I load the operating system XP Professional & log in, I
    get a box saying “Found virus Win32.Zafi.b†would you like to “Enable
    Protection†Its Like firewall message box and also IE7 directs me to a site
    to download Defender, and any other sites I have tried going to closes
    automatically after 3-sec – 10secs back to my desktop.

    The following I have ran in “Safe Mode†running full scans.

    Malwarebytes Anti-Malware
    http://www.malwarebytes.org/mbam/program/mbam-setup.exe

    •SuperAntiSpyware
    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

    •Remove It http://pcbutts1.com/downloads/tools/tools.htm

    completed & succesfully done full-scans, also have downloaded and install
    from my memory stick the Microsoft Malicious Removal Tool;
    http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en in (Safe-Mode)

    I still cannot rid of this virus!!. I know the simple way is to format
    start again, but I am just one of those guys who don’t want these idiots to
    win in the end, so any help or advice to try I am willing, if you can be
    patient and offer me a victory! in this war.


    Kind Regards


    Brett.
     
    Brett, Jan 31, 2009
    #31
  12. From: "Brett" <>

    | So far in “Safe Mode” {F8} I have used the following programs to rid myself
    | of Win32.Zafi.B Virus.

    | The issues are when I load the operating system XP Professional & log in, I
    | get a box saying “Found virus Win32.Zafi.b” would you like to “Enable
    | Protection” Its Like firewall message box and also IE7 directs me to a site
    | to download Defender, and any other sites I have tried going to closes
    | automatically after 3-sec – 10secs back to my desktop.

    | The following I have ran in “Safe Mode” running full scans.

    | Malwarebytes Anti-Malware
    | http://www.malwarebytes.org/mbam/program/mbam-setup.exe

    | •SuperAntiSpyware
    | http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

    | •Remove It http://pcbutts1.com/downloads/tools/tools.htm

    | completed & succesfully done full-scans, also have downloaded and install
    | from my memory stick the Microsoft Malicious Removal Tool;
    | http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-
    | 75B8EB148356&displaylang=en in (Safe-Mode)

    | I still cannot rid of this virus!!. I know the simple way is to format
    | start again, but I am just one of those guys who don’t want these idiots to
    | win in the end, so any help or advice to try I am willing, if you can be
    | patient and offer me a victory! in this war.


    | Kind Regards


    | Brett.
     
    David H. Lipman, Jan 31, 2009
    #32
  13. From: "Brett" <>

    | So far in “Safe Mode” {F8} I have used the following programs to rid myself
    | of Win32.Zafi.B Virus.

    Use the McAfee and Sophos modules in the below Multi AV Scanning Tool.

    Download MULTI_AV.EXE from the URL --
    http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
    or
    http://212.98.39.7/ds/28400/28470/Multi_AV.exe

    http://www.pctip.ch/downloads/dl/35905.asp
    or
    http://212.98.39.7/downloads/dl/35905.asp

    English:
    http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/


    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to allow it to download the needed AV vendor related files.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode.
    This way all the components can be downloaded from each AV vendor's web site.
    The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file.



    * * * Please report back your results * * *
     
    David H. Lipman, Jan 31, 2009
    #33
  14. John

    Peter Foldes Guest

    Anybody that is a Troll is you. I ran your beloved program on a test machine and you
    do alter the svchost file so as people cannot get to some reputable sites which
    hour's is not. You are a thief and a story teller (said it diplomatically) and your
    program that you push so hard is not what you say it is. A bunch of stolen material
    that you put together and call it your own. Disgraceful
     
    Peter Foldes, Jan 31, 2009
    #34
  15. Your ignorance is showing along with your lack of knowledge. You don't know
    the difference between host and svchosts. None of the sits in my hosts file
    is reputable that is why it is in my hosts file you idiot.

    --

    *WARNING* Do NOT follow any advise given by the people listed below.
    They do NOT have the expertise or knowledge to fix your issue.
    Do not waste your time.
    David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos
     
    The Real Truth MVP, Jan 31, 2009
    #35
  16. John

    Peter Foldes Guest

    Was a typo but you got what I meant.
     
    Peter Foldes, Jan 31, 2009
    #36
  17. John

    John Guest

    Thanks Tom. I have MRT installed now and did a scan with it. It didn't find
    anything.

    Does MRT ever run in the background or does it always have to be launched
    manually?

    I do see MRT in my WAU history, so I've downloaded but for some reason it
    was never installed or run.


     
    John, Feb 4, 2009
    #37
  18. From: "John" <>

    | Thanks Tom. I have MRT installed now and did a scan with it. It didn't find
    | anything.

    | Does MRT ever run in the background or does it always have to be launched
    | manually?

    | I do see MRT in my WAU history, so I've downloaded but for some reason it
    | was never installed or run.

    A new version is downloaded, installed and runs a scan once per month via auto updates.
     
    David H. Lipman, Feb 4, 2009
    #38
  19. John

    Rocky Guest

    I think this is the same problem I have on one of my computers. Whilst on
    the internet an app inserted itself without asking and told me I had viruses,
    such as trojan, and others. Then the app insisted that I download the
    removal and fix tool. Now that computer does not load windows properly, it
    essntially doesn't work at all, all I get is music and a black screen. In
    safe mode it tells me that some windows setup files are missing. I tried to
    reinstall them with the system recovery tools disk, but the computer seems to
    go into a loop. How can I "fix" this mess without using system recovery?
     
    Rocky, Mar 14, 2009
    #39
  20. John

    Malke Guest

    You may not be able to. The first thing to do is back up any data that
    didn't make it into your regular backups. The best way to do this is with a
    Linux Live CD and an external hard drive or USB thumb drive. I like
    Knoppix, but there are others.

    Unfortunately, you really need to clean up the machine before you can even
    attempt to repair the system. If Windows won't run at all, then honestly
    the best thing to do is to clean-install Windows. You can try running
    antivirus/malware-removal tools from a rescue disk like a Bart's PE but
    it's going to be hard and even then, you may not be able to get it cleaned
    up enough to run a Repair Install.

    http://www.michaelstevenstech.com/XPrepairinstall.htm - Repair Install
    How-To
    http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
    http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
    you will need on-hand

    You know your own skills best.

    Malke
     
    Malke, Mar 14, 2009
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.