Can't access any webs sites that contain anti virus fixes

[Volfandt]

XP Pro w/rev 6 explorer. I recently discovered that I couldn't access any web
sites that contain antivirus/spyware updates or fixes. This includes AVG,
SpyBot, Adaware, Malware and/or even trying to manually run Windows update.
Instead of getting the download page (where one chooses to eoither save or
run the download, I get a webpage stateing page not found"). Microsofts
Malicious Software tool didn;t find any problems but AVG ran and found
problems and fixed it but when I run the Microsoft download scanner it finds
problems but can't fix them. Other than not being able to update XP, AVG and
my other virus/spyware app's the system seems to work fine. Also, I cannot
run Spybot nor Malwares app. I deleted Spybot and reinstalled it and it will
not run.
I'm guessing the virus that got me has gotten into my registry.
Any thoughts and/or fixes?
Thanks

 

[David H. Lipman]

From: "Volfandt" <[email protected]>

| XP Pro w/rev 6 explorer. I recently discovered that I couldn't access any web
| sites that contain antivirus/spyware updates or fixes. This includes AVG,
| SpyBot, Adaware, Malware and/or even trying to manually run Windows update.
| Instead of getting the download page (where one chooses to eoither save or
| run the download, I get a webpage stateing page not found"). Microsofts
| Malicious Software tool didn;t find any problems but AVG ran and found
| problems and fixed it but when I run the Microsoft download scanner it finds
| problems but can't fix them. Other than not being able to update XP, AVG and
| my other virus/spyware app's the system seems to work fine. Also, I cannot
| run Spybot nor Malwares app. I deleted Spybot and reinstalled it and it will
| not run.
| I'm guessing the virus that got me has gotten into my registry.
| Any thoughts and/or fixes?
| Thanks


The chances of this being a virus is low.
The chances of this being non-viral malware is extremely high.



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

 

[Bob Harris]

First, look at your "host" file, that is,
C:\windows\system32\drivers\etc\hosts. (hosts has no extention; it is just
"hosts".)

(Note, you may need to change windows explorer setting to allow seeing
system and hidden files.)

This file can be used to bypass a DNS server, effectively equating a web
address to a specific place. However, it can also be used to short-circuit
any website, pointing back to the local PC. That is a great way to block
advertsiements, but it could also be used to prevent access to specific
websites, like antivirus.

The minimum contents of a hostfile file is the one line below:

127.0.0.1 localhost

Other lines are optional.

For example, to block a webiste called www.ads.active.com", add a line like:

127.0.0.1 ads.active.com

Placing a "#" in column one of a line makes it a comment.

For more information about the hosts file, try
http://www.mvps.org/winhelp2002/hosts.htm

Second, there are some, free antivirus scanners that can be downloaded on
another PC, burned to CD, then run on your PC. Try McAfee and Norton for
starts. Also look at
http://www.avira.com/en/support/antivir_removal_tool.html

Or, try the following generalized PC tool, which includes antivirus:
http://ubcd.sourceforge.net/

 

[Volfandt]

Thanks Dave
Unfortunately I cannot open a any of those listed sites except your Generic
Trojan / Adware Removal Procedures page and the Mcafee download. I downloaded
and ran the Stinger app and it found no problems. I;m thinking I may have
already deleted the malware and/or virus but have not been able to correct
the files it's chamged.
I've tried downloading and running a Malware app and Spybot in safe mode
w/networking and they still will not run.
Oh, and the malware and/or virus did build a new user ID and gave it
administration permissions also. I deleted this as soon as I found it.

 

[Volfandt]

Thanks Bob,
I checked that Hosts file and it only has these lines, 127.0.0.1 localhost,
all the other lines are REM'ed out with the # sign,

I have copied the Spybot zip file from another PC on my home network and
loaded it on the effected laptop and it still won't run. Same for the Malware
app. I also ran the Malware app on another PC but had it scan the effective
laptop's C HDD and it didn;t find any problems either.
It's like there's either a line added in all those app's to make them not
run or theres another program in XP where one can restrict access to both
websites and app's.
Wonder if theres a place in XP where both programs and web pages can be
entered to be restricted?

 

[Mick Murphy]

Reboot the affected computer, and go into Safe Mode with Networking by
tapping F8 at Power ON/ startup.
SM with Networking gives you internet access.
Download, install, update and scan there
Scan with all your security programs, one at a time.

Links for Spybot Search & destroy and Malwarebytes are below.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

If unable to install above Programs in Normal Mode:
Sometimes Trojans, Viruses, Malware, etc stop you installing and/or updating
Programs to remove them.
If that happens, reboot into Safe Mode with Networking, and install, update
and scan from there.

 

[David H. Lipman]

From: "Volfandt" <[email protected]>

| Thanks Dave
| Unfortunately I cannot open a any of those listed sites except your Generic
| Trojan / Adware Removal Procedures page and the Mcafee download. I downloaded
| and ran the Stinger app and it found no problems. I;m thinking I may have
| already deleted the malware and/or virus but have not been able to correct
| the files it's chamged.
| I've tried downloading and running a Malware app and Spybot in safe mode
| w/networking and they still will not run.
| Oh, and the malware and/or virus did build a new user ID and gave it
| administration permissions also. I deleted this as soon as I found it.


Download Gmer.
http://www.gmer.net/files.php

Make sure you close/kill ALL applications and utilities prior to running a scan of your
PC.

 

[nass]

XP Pro w/rev 6 explorer. I recently discovered that I couldn't access any web
sites that contain antivirus/spyware updates or fixes. This includes AVG,
SpyBot, Adaware, Malware and/or even trying to manually run Windows update.
Instead of getting the download page (where one chooses to eoither save or
run the download, I get a webpage stateing page not found"). Microsofts
Malicious Software tool didn;t find any problems but AVG ran and found
problems and fixed it but when I run the Microsoft download scanner it finds
problems but can't fix them. Other than not being able to update XP, AVG and
my other virus/spyware app's the system seems to work fine. Also, I cannot
run Spybot nor Malwares app. I deleted Spybot and reinstalled it and it will
not run.
I'm guessing the virus that got me has gotten into my registry.
Any thoughts and/or fixes?
Thanks

This can be one of two:
1- A restrictions been put in place by the Viral infection
Or
2- A Corrupt profile

Open run then type in:
regedit click [OK]
Locate this keys and see if the entries placed to restrict you from having
control on your machine and remove them if they are there!

Restriction for Programs to run:
[-] HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\Policies\Explorer = remove this entry in the right pane/window:
DisallowRun

Restriction for Registry Editor:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\System
= remove this entry in the right pane/window
DisableRegistryTools

Restriction for Command Prompt:
[-]HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System = remove
this entry in the right pane/window
DisableCMD

<Q from MauriceN at castlecops.com>
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from
here:
http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe

* Double-click FixPolicies.exe.
* Click the "Install" button on the bottom toolbar of the box that will
open.
* The program will create a new Folder called FixPolicies.
* Double-click to Open the new Folder, and then double-click the file
within: Fix_Policies.cmd.
* A black box will briefly appear and then close.
* This fix may prove temporary. Active malware may revert these changes
at your next startup. You can safely run the utility again.

Now, logoff and restart the system, and advise and confirm for me that you
can login to Normal mode.
</Q>

Run a thorough scan by doing the following steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
Download and Update both SuperAntispyware and Malwarebytes then run a
complete scan - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html

If you wish to send me your Hijackthis log I will be happy to help you
further or send to one of many forums on the internet!
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
my address is : to_you_ross(at remove this and repalce with the
obvious)yahoo.co.uk ( _ is underscore)

Run disk clean up on your Drive.
You can download this tool o run clean up:
http://www.ccleaner.com/download/builds/downloading-slim

# For the second option:
How to Identify a Damaged User Profile and Create a New Profile
http://support.microsoft.com/kb/811151
HTH,
nass

 

[Volfandt]

Thanks again Dave, unfortunately I cannot access any of those sites from the
effected laptop. (I get page not found). I did download the Stinger app to my
desktop then copied over to the laptop and ran it. It did not find any
problems.
I didn't try any of the other app's.
Dave

 

[Volfandt]

Thanks Mick, the effected laptop will not run SpyBot in Safe Mode, no matter
if I delete it and redown load it again in safemode it will not run. I can
run the Malwares App and it doesn't find any problems.
Dave

 

[Volfandt]

Thabks nass, I ran the regedit app and checked all those Hkey programs and
they did not contain any problems. I compared them to my desktop and they
were very similar.
The Fixpolices app will not run. I had to download it to my desktop then
copy over to the effected laptop but will not run. I get a second or two of
th emouse pointer changing to the hourglass then it goes back to a pointer,
both in normal & safemode.
I will try those other steps afterwhile, but itis VERY perplexing that this
virus only effects programs and websites that pertain to repairing viruses.
Wonder how it "knows" the difference?
Dave

XP Pro w/rev 6 explorer. I recently discovered that I couldn't access any web
sites that contain antivirus/spyware updates or fixes. This includes AVG,
SpyBot, Adaware, Malware and/or even trying to manually run Windows update.
Instead of getting the download page (where one chooses to eoither save or
run the download, I get a webpage stateing page not found"). Microsofts
Malicious Software tool didn;t find any problems but AVG ran and found
problems and fixed it but when I run the Microsoft download scanner it finds
problems but can't fix them. Other than not being able to update XP, AVG and
my other virus/spyware app's the system seems to work fine. Also, I cannot
run Spybot nor Malwares app. I deleted Spybot and reinstalled it and it will
not run.
I'm guessing the virus that got me has gotten into my registry.
Any thoughts and/or fixes?
Thanks

This can be one of two:
1- A restrictions been put in place by the Viral infection
Or
2- A Corrupt profile

Open run then type in:
regedit click [OK]
Locate this keys and see if the entries placed to restrict you from having
control on your machine and remove them if they are there!

Restriction for Programs to run:
[-] HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\Policies\Explorer = remove this entry in the right pane/window:
DisallowRun

Restriction for Registry Editor:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\System
= remove this entry in the right pane/window
DisableRegistryTools

Restriction for Command Prompt:
[-]HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System = remove
this entry in the right pane/window
DisableCMD

<Q from MauriceN at castlecops.com>
Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from
here:
http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe

* Double-click FixPolicies.exe.
* Click the "Install" button on the bottom toolbar of the box that will
open.
* The program will create a new Folder called FixPolicies.
* Double-click to Open the new Folder, and then double-click the file
within: Fix_Policies.cmd.
* A black box will briefly appear and then close.
* This fix may prove temporary. Active malware may revert these changes
at your next startup. You can safely run the utility again.

Now, logoff and restart the system, and advise and confirm for me that you
can login to Normal mode.
</Q>

Run a thorough scan by doing the following steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
Download and Update both SuperAntispyware and Malwarebytes then run a
complete scan - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html

If you wish to send me your Hijackthis log I will be happy to help you
further or send to one of many forums on the internet!
Download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
my address is : to_you_ross(at remove this and repalce with the
obvious)yahoo.co.uk ( _ is underscore)

Run disk clean up on your Drive.
You can download this tool o run clean up:
http://www.ccleaner.com/download/builds/downloading-slim

# For the second option:
How to Identify a Damaged User Profile and Create a New Profile
http://support.microsoft.com/kb/811151
HTH,
nass

 

[David H. Lipman]

From: "Volfandt" <[email protected]>

| Thanks again Dave, unfortunately I cannot access any of those sites from the
| effected laptop. (I get page not found). I did download the Stinger app to my
| desktop then copied over to the laptop and ran it. It did not find any
| problems.
| I didn't try any of the other app's.
| Dave

Stinger has a very limited target list and is only worthwhile when you know you are
infected withsomething Stinger actually targets.

You have an unknown malware and thus it requires a broad-spectrum detection and removal
utility/application.

 

[Malke]

Thabks nass, I ran the regedit app and checked all those Hkey programs and
they did not contain any problems. I compared them to my desktop and they
were very similar.
The Fixpolices app will not run. I had to download it to my desktop then
copy over to the effected laptop but will not run. I get a second or two
of th emouse pointer changing to the hourglass then it goes back to a
pointer, both in normal & safemode.
I will try those other steps afterwhile, but itis VERY perplexing that
this virus only effects programs and websites that pertain to repairing
viruses. Wonder how it "knows" the difference?

It is extremely common for malware to prevent you from going to
antivirus/antimalware sites.

At this point you should either get guided help at one of the specialty
forums below OR back up your data and do a clean install of Windows. It is
your choice. If you are unsure how to back up your data or how to do a
clean install, you can take your machine to a local computer professional.
I don't recommend using BigComputerStore/GeekSquad types of places.

PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.org/downloads/hijackthis.zip
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/
http://www.thespykiller.co.uk/index.php?board=3.0
http://forums.subratam.org/index.php?showforum=7

Malke

 

[Twayne]

Often, one way to reach such sites is to use their IP instead of their
English text names. Instead of the server.com, you use something like
aa.bbb.cc.dd.
You can look them up at many online sites: Here is one that's easy to
use:
http://www.hcidata.info/host2ip.htm
Just enter say symantec.com and you get back
216.12.145.20
Now, instead of putting "symantec.com" in your browser address bar,
you put that IP number instead; just use a copy/paste operation to make
it easy. It works, I tested it.
Put the number in the left hand box, click Find, and the IP will
appear in the right hand box.

Caveat: You'll get the Home Page for whatever site you enter, so if
there is a " .../folder/fname.html" part, it won't go there, but will go
to its Home Page.

Assuming of course, it'll let you get to THAT site<g>! I suspect it
will work.

HTH

Twayne

 

[David H. Lipman]

From: "virusexperts" <[email protected]>

| ' *How to manually remove Backdoor.livup (msstart.exe) Trojan-horse? OR How To
| Manually Remove Trojan?* Answer to the following Qestions can be found here
| http://snip.blogspot.com/ Follow the steps to solve your problem. The steps
| are easy to remove any type of trojan worms, viruses, adware or spyware. Hope this will
| help you. or contact


I see your objective is to just spam a blogspot because you have replied this to at least
two posts where the information provided in the Blogspot is completely not applicable.

 

[Twayne]

' *How to manually remove Backdoor.livup (msstart.exe) Trojan-horse?

OR

How To Manually Remove Trojan?*


Answer to the following Qestions can be found here
http://virusexperts.blogspot.com/

Follow the steps to solve your problem. The steps are easy to remove
any type of trojan worms, viruses, adware or spyware. Hope this will
help you.

or contact (e-mail address removed)'
(http://virusexperts.blogspot.com/)

I didn't like what I saw when I checked your links. I suggest you
either:
1. Post the answer to queries right here, or
2. Stop posting here completely before you start being reported for
abuse of a newsgroup by spamming.

Your choice

You should als remove "experts" from your name - it's obvious you are
not all "experts".

 

[gt]

I had the same problem. I re-booted in safe mode with network access (F8),
did a google search for Malwarebytes download, and tried sites until I found
one that didn't re-direct. I ran the download and executed it. Malwarebytes
removed the trojan and when I re-booted I could update my virus protection
and get my windows updates again.