Followed dircts. for spyware removal. Unable to update anitvirus s

[Tammy]

I am unsure about where to post my question.
I had this box on my desktop that said Warning and it wanted me to update
my virus protection. I never clicked on it. I went to trendmicro and it got
rid of some nasties and then I went to Microsoft and it got rid of some to.
Something about the joke virus. I went to safe mode and deleted most of the
spyware that was on it using the Microsoft remover. I then found other
questions on here about the same problem and followed those instructions and
got my destop, background and screensaver back.
I do not know how to get rid of the box that said Warning. It is not showing
now because I put a picture on it instead, but the "nasty" is still in my
computer somewhere. I have now tried to update my virus protection and it
keeps saying it failed. I tried to go back to Trendmicro and it says Internet
Explorer cannot display this webpage. I cannot get on ANY virus and spyware
sites. I can go just about anywhere else I need to on the internet. What can
be causing this problem and how do I fix it?

 

[David H. Lipman]

From: "Tammy" <[email protected]>

| I am unsure about where to post my question.
| I had this box on my desktop that said Warning and it wanted me to update
| my virus protection. I never clicked on it. I went to trendmicro and it got
| rid of some nasties and then I went to Microsoft and it got rid of some to.
| Something about the joke virus. I went to safe mode and deleted most of the
| spyware that was on it using the Microsoft remover. I then found other
| questions on here about the same problem and followed those instructions and
| got my destop, background and screensaver back.
| I do not know how to get rid of the box that said Warning. It is not showing
| now because I put a picture on it instead, but the "nasty" is still in my
| computer somewhere. I have now tried to update my virus protection and it
| keeps saying it failed. I tried to go back to Trendmicro and it says Internet
| Explorer cannot display this webpage. I cannot get on ANY virus and spyware
| sites. I can go just about anywhere else I need to on the internet. What can
| be causing this problem and how do I fix it?

Unsure where to post ? Why ?

In the microsoft.* hierarchy there is; microsoft.public.security.virus

In the alt.* hierarchy there are virus groups as well.



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Then post the contents of the HJT log in your post in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

 

[Rich]

You may have the item I found documented at ThreatExpert.com:

http://www.threatexpert.com/report.aspx?uid=10cd2fba-add8-4085-aa0f-44fe3cba9450

Apparently Kaspersky and Norton antivirus have had reports about this if you
look at the web page mentioned.

I may have had the same problem. If you are not careful with Trend Micro
and immediately delete the problem as soon as TM detects it, it will infest
your system for all eternity and Trend Micro cannot detect the problem. You
get the warning box but TM cant fix it.

I called TM tech support and told them about them problem and the tech sent
me an email and I emailed them the details and the URL above. They were not
aware of this problem which broke out on or about August 26, 2008.

Once the Trojan gets into your Registry TM cant detect or remove it.

The way I had to clean my system up (XP Home MCE on a Dell XPS410) was to:

1.) Do a System Restore from 4 days before the problem occured.

2) Edit the registry as mentioned in the URl above to remove the references
that were no longer active. But there still was a startup item I could not
remove.

2) Then use Malwarebyte's free version of Malwarescan to scan the system. It
detected the naughty Registry entry and removed it and the resulting .exe
file that was in system32 directory.

Rich

 

[Bob]

There must be something new going around. My 2 laptops one with Vista and one
with XP Pro both with Norton Internet Security 2008 and Norton Anti-bot were
both blocked from the internet. I found that something had gotten into the
advanced configuration of Windows Firewall (even though they are shut off by
Norton) were reconfigured to not allow any outside access to the internet.
Once I unblocked them I was up and running again. It took me 2 days to figure
this out. This only happened to my wireless computers not my desktop. Maybe
someone here has an answer.

 

[Twayne]

I am unsure about where to post my question.

I had this box on my desktop that said Warning and it wanted me to
update my virus protection. I never clicked on it. I went to
trendmicro and it got rid of some nasties and then I went to
Microsoft and it got rid of some to. Something about the joke virus.
I went to safe mode and deleted most of the spyware that was on it
using the Microsoft remover. I then found other questions on here
about the same problem and followed those instructions and got my
destop, background and screensaver back.
I do not know how to get rid of the box that said Warning. It is not
showing now because I put a picture on it instead, but the "nasty" is
still in my computer somewhere. I have now tried to update my virus
protection and it keeps saying it failed. I tried to go back to
Trendmicro and it says Internet Explorer cannot display this webpage.
I cannot get on ANY virus and spyware sites. I can go just about
anywhere else I need to on the internet. What can be causing this
problem and how do I fix it?

The inability to get to security pages is a favorite activity of some
viruses/malware. Often if instead you use the IP number instead, you
can get there though. For example, to get to TrendMicro, instead of
trendmicro.com, enter 66.35.255.33 in the Address Bar. Unless it's
more sneaky than most of them, that will take you to their site. Try
clicking on the underlined IP number and see if it will work.

If you don't know how to find an IP number, post back and someone can
either tell you how to look them up or look them up for you. Try going
to http://openrbl.org/ and use their lookup there. Or, their IP is
212.227.102.74 if the URL is stopped from working. Once there, put the
name of the web site you want to access in the top white box and press
Return; the IP will appear above that box. Put that IP in your
Browser's Address Bar and it should take you there.
Or any whois site would give you the same information too.

I realize it's dangerous to take a strangers word that those IPs take
you to where I say they go, but they do. If you're uncomfortable, just
watch your screen and click to Close if you think I sent you to the
wrong places. Perhpas someone will chime in and give you other places
you can confirm what I'm telling you.

HTH

Twayne

 

[David H. Lipman]

| The inability to get to security pages is a favorite activity of some
| viruses/malware. Often if instead you use the IP number instead, you
| can get there though. For example, to get to TrendMicro, instead of
| trendmicro.com, enter 66.35.255.33 in the Address Bar. Unless it's
| more sneaky than most of them, that will take you to their site. Try
| clicking on the underlined IP number and see if it will work.

| If you don't know how to find an IP number, post back and someone can
| either tell you how to look them up or look them up for you. Try going
| to http://openrbl.org/ and use their lookup there. Or, their IP is
| 212.227.102.74 if the URL is stopped from working. Once there, put the
| name of the web site you want to access in the top white box and press
| Return; the IP will appear above that box. Put that IP in your
| Browser's Address Bar and it should take you there.
| Or any whois site would give you the same information too.

| I realize it's dangerous to take a strangers word that those IPs take
| you to where I say they go, but they do. If you're uncomfortable, just
| watch your screen and click to Close if you think I sent you to the
| wrong places. Perhpas someone will chime in and give you other places
| you can confirm what I'm telling you.

| HTH

| Twayne


The easier way to deal with this is just delete the bloody etc/hosts file and flush the
DNS Cache.