I have been infected with the dreaded about:blank. Running XP home edition
SP1 and using McAfee virus software. Symptoms are:
1. Every logon when the Explorer shell comes up, the virus puts a rogue
blank.mht file in c:windows. This can be deleted but gets put back every
fresh logon. It is used when the virus activates, to populate the pop-up.
2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
are always corrupted so my home page is hijacked. I have written a "reg"
file to correct the registry so I can continue more or less as normal, but I
am no nearer to a final fix.
Anyone got a clue about this please?
(Lots of hits on Google but they all seem to want to sell something - who
knows they may even be in partnership with the virus writer!!!)
I
--
mathsgames

"mathsgames" wrote:

> I have been infected with the dreaded about:blank. Running XP home edition
> SP1 and using McAfee virus software. Symptoms are:
> 1. Every logon when the Explorer shell comes up, the virus puts a rogue
> blank.mht file in c:windows. This can be deleted but gets put back every
> fresh logon. It is used when the virus activates, to populate the pop-up.
> 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
> are always corrupted so my home page is hijacked. I have written a "reg"
> file to correct the registry so I can continue more or less as normal, but I
> am no nearer to a final fix.
> Anyone got a clue about this please?
> (Lots of hits on Google but they all seem to want to sell something - who
> knows they may even be in partnership with the virus writer!!!)
> I
> --
> mathsgames

Hi,
Try to see if your Coonections/DNS Server is Hijacked by these Viral
Malwares, to do that Right Click on your Internet Connection and select
Properties then click on Networking Tab and Highlight the TCP/IP and click
Properties Button.
On the TCP/IP Proeprties window under General Tap see if your IP set to
automatic or set to static and your DNS settings.
Normally the Malware will issue the IP address from range 62.255.112.201 -
82.234.112.201 some odd IPs try to remove them and if you use a DNS get it
from your ISP provider.
Also click on Advanced Button and see the DNS,WINs settings there.
Here a lot of answers for Hijacked Homepages:
http://www.microsoft.com/communities...xp=&sloc=en-us
HTH.
Please let us know as your feedback help others.
Thank you.
Regards,
nass
----
www.nasstec.co.uk

"mathsgames" wrote:

> I have been infected with the dreaded about:blank. Running XP home edition
> SP1 and using McAfee virus software. Symptoms are:
> 1. Every logon when the Explorer shell comes up, the virus puts a rogue
> blank.mht file in c:windows. This can be deleted but gets put back every
> fresh logon. It is used when the virus activates, to populate the pop-up.
> 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
> are always corrupted so my home page is hijacked. I have written a "reg"
> file to correct the registry so I can continue more or less as normal, but I
> am no nearer to a final fix.
> Anyone got a clue about this please?
> (Lots of hits on Google but they all seem to want to sell something - who
> knows they may even be in partnership with the virus writer!!!)
> I
> --
> mathsgames

Hi,
Try to see if your Coonections/DNS Server is Hijacked by these Viral
Malwares, to do that Right Click on your Internet Connection and select
Properties then click on Networking Tab and Highlight the TCP/IP and click
Properties Button.
On the TCP/IP Proeprties window under General Tap see if your IP set to
automatic or set to static and your DNS settings.
Normally the Malware will issue the IP address from range 62.255.112.201 -
82.234.112.201 some odd IPs try to remove them and if you use a DNS get it
from your ISP provider.
Also click on Advanced Button and see the DNS,WINs settings there.
Here a lot of answers for Hijacked Homepages:
http://www.microsoft.com/communities...xp=&sloc=en-us
HTH.
Please let us know as your feedback help others.
Thank you.
Regards,
nass
----
www.nasstec.co.uk

"mathsgames" <mathsgames@discussions.microsoft.com> wrote in message
news:AEBF2E33-ED42-4233-82E7-A9B9D3C61134@microsoft.com...
>I have been infected with the dreaded about:blank. Running XP home edition
> SP1 and using McAfee virus software. Symptoms are:
> 1. Every logon when the Explorer shell comes up, the virus puts a rogue
> blank.mht file in c:windows. This can be deleted but gets put back every
> fresh logon. It is used when the virus activates, to populate the pop-up.
> 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
> are always corrupted so my home page is hijacked. I have written a "reg"
> file to correct the registry so I can continue more or less as normal, but
> I
> am no nearer to a final fix.
> Anyone got a clue about this please?
> (Lots of hits on Google but they all seem to want to sell something - who
> knows they may even be in partnership with the virus writer!!!)


http://www.elephantboycomputers.com/...moving_Malware

You're best choice might be to run HijackThis and post the log to one of the
specialty forums for it, not this one.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

"mathsgames" <mathsgames@discussions.microsoft.com> wrote in message
news:AEBF2E33-ED42-4233-82E7-A9B9D3C61134@microsoft.com...
>I have been infected with the dreaded about:blank. Running XP home edition
> SP1 and using McAfee virus software. Symptoms are:
> 1. Every logon when the Explorer shell comes up, the virus puts a rogue
> blank.mht file in c:windows. This can be deleted but gets put back every
> fresh logon. It is used when the virus activates, to populate the pop-up.
> 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
> are always corrupted so my home page is hijacked. I have written a "reg"
> file to correct the registry so I can continue more or less as normal, but
> I
> am no nearer to a final fix.
> Anyone got a clue about this please?
> (Lots of hits on Google but they all seem to want to sell something - who
> knows they may even be in partnership with the virus writer!!!)


http://www.elephantboycomputers.com/...moving_Malware

You're best choice might be to run HijackThis and post the log to one of the
specialty forums for it, not this one.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

From: "mathsgames" <mathsgames@discussions.microsoft.com>

| I have been infected with the dreaded about:blank. Running XP home edition
| SP1 and using McAfee virus software. Symptoms are:
| 1. Every logon when the Explorer shell comes up, the virus puts a rogue
| blank.mht file in c:windows. This can be deleted but gets put back every
| fresh logon. It is used when the virus activates, to populate the pop-up.
| 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
| are always corrupted so my home page is hijacked. I have written a "reg"
| file to correct the registry so I can continue more or less as normal, but I
| am no nearer to a final fix.
| Anyone got a clue about this please?
| (Lots of hits on Google but they all seem to want to sell something - who
| knows they may even be in partnership with the virus writer!!!)
| I
| --
| mathsgames



If you are using any version of Sun Java that is prior to JRE Version 5.0 update 10,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 5.0 Update 10

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.5.0_10

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/docum...=1-26-102557-1
http://sunsolve.sun.com/search/docum...=1-26-102648-1
http://sunsolve.sun.com/search/docum...=1-26-102622-1


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/supe...freevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadge...4332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "mathsgames" <mathsgames@discussions.microsoft.com>

| I have been infected with the dreaded about:blank. Running XP home edition
| SP1 and using McAfee virus software. Symptoms are:
| 1. Every logon when the Explorer shell comes up, the virus puts a rogue
| blank.mht file in c:windows. This can be deleted but gets put back every
| fresh logon. It is used when the virus activates, to populate the pop-up.
| 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
| are always corrupted so my home page is hijacked. I have written a "reg"
| file to correct the registry so I can continue more or less as normal, but I
| am no nearer to a final fix.
| Anyone got a clue about this please?
| (Lots of hits on Google but they all seem to want to sell something - who
| knows they may even be in partnership with the virus writer!!!)
| I
| --
| mathsgames



If you are using any version of Sun Java that is prior to JRE Version 5.0 update 10,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 5.0 Update 10

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.5.0_10

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/docum...=1-26-102557-1
http://sunsolve.sun.com/search/docum...=1-26-102648-1
http://sunsolve.sun.com/search/docum...=1-26-102622-1


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/supe...freevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadge...4332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thanks to all who replied. My Java in c:\programs\java - one folder only -
is j2re1.4.2_03 so I guess this is ok.
My own internet traffic - via AOL - works fine. So I guess my normal IP
addressing is working - and all my DNS / URL stuff works.
One extra symptom of this virus -- it seems to have a clock wakeup - after
about 10 mins of "normal" internet work up pops the rogue window claiming to
have some top value anti virus software at a killer price. Once I have
removed the rogue mht file and Registry entries all works fine again -- until
another ten minutes have passed. Does this extra infor ring any bells
please??

--
mathsgames


"David H. Lipman" wrote:

> From: "mathsgames" <mathsgames@discussions.microsoft.com>
>
> | I have been infected with the dreaded about:blank. Running XP home edition
> | SP1 and using McAfee virus software. Symptoms are:
> | 1. Every logon when the Explorer shell comes up, the virus puts a rogue
> | blank.mht file in c:windows. This can be deleted but gets put back every
> | fresh logon. It is used when the virus activates, to populate the pop-up.
> | 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
> | are always corrupted so my home page is hijacked. I have written a "reg"
> | file to correct the registry so I can continue more or less as normal, but I
> | am no nearer to a final fix.
> | Anyone got a clue about this please?
> | (Lots of hits on Google but they all seem to want to sell something - who
> | knows they may even be in partnership with the virus writer!!!)
> | I
> | --
> | mathsgames
>
>
>
> If you are using any version of Sun Java that is prior to JRE Version 5.0 update 10,
> then you are strongly urged to remove any/all versions.
> There are vulnerabilities in them and they are actively being exploited.
>
> It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
> Version 5.0 Update 10
>
> Simple check, look under...
> C:\Program Files\Java
>
> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.5.0_10
>
> http://java.sun.com/javase/downloads/index.jsp
> http://www.java.com/en/download/manual.jsp
>
> FYI:
> http://sunsolve.sun.com/search/docum...=1-26-102557-1
> http://sunsolve.sun.com/search/docum...=1-26-102648-1
> http://sunsolve.sun.com/search/docum...=1-26-102622-1
>
>
> For non-viral malware...
>
> Please download, install and update the following software...
>
> * Ad-aware SE v1.06
> http://www.lavasoft.de/
> http://www.lavasoftusa.com/
> http://www.lavasoft.de/ms/index.htm
>
> * SpyBot Search and Destroy v1.4
> http://security.kolla.de/
> http://www.safer-networking.org/microsoft.en.html
>
> * SuperAntiSpyware
> http://www.superantispyware.com/supe...freevspro.html
>
> After the software is updated, I suggest scanning the system in Safe Mode.
>
> I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
> that may be on the PC.
>
> * BHODemon
>
> http://www.majorgeeks.com/downloadge...4332b4b8b8442d
>
> For viral malware...
>
> * Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

Thanks to all who replied. My Java in c:\programs\java - one folder only -
is j2re1.4.2_03 so I guess this is ok.
My own internet traffic - via AOL - works fine. So I guess my normal IP
addressing is working - and all my DNS / URL stuff works.
One extra symptom of this virus -- it seems to have a clock wakeup - after
about 10 mins of "normal" internet work up pops the rogue window claiming to
have some top value anti virus software at a killer price. Once I have
removed the rogue mht file and Registry entries all works fine again -- until
another ten minutes have passed. Does this extra infor ring any bells
please??

--
mathsgames


"David H. Lipman" wrote:

> From: "mathsgames" <mathsgames@discussions.microsoft.com>
>
> | I have been infected with the dreaded about:blank. Running XP home edition
> | SP1 and using McAfee virus software. Symptoms are:
> | 1. Every logon when the Explorer shell comes up, the virus puts a rogue
> | blank.mht file in c:windows. This can be deleted but gets put back every
> | fresh logon. It is used when the virus activates, to populate the pop-up.
> | 2. The web pages (HKLM-Internet Explorer-etc) "local" "search" and "start"
> | are always corrupted so my home page is hijacked. I have written a "reg"
> | file to correct the registry so I can continue more or less as normal, but I
> | am no nearer to a final fix.
> | Anyone got a clue about this please?
> | (Lots of hits on Google but they all seem to want to sell something - who
> | knows they may even be in partnership with the virus writer!!!)
> | I
> | --
> | mathsgames
>
>
>
> If you are using any version of Sun Java that is prior to JRE Version 5.0 update 10,
> then you are strongly urged to remove any/all versions.
> There are vulnerabilities in them and they are actively being exploited.
>
> It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
> Version 5.0 Update 10
>
> Simple check, look under...
> C:\Program Files\Java
>
> The only folder under that folder should be the latest version.
>
> Such as...
> C:\Program Files\Java\jre1.5.0_10
>
> http://java.sun.com/javase/downloads/index.jsp
> http://www.java.com/en/download/manual.jsp
>
> FYI:
> http://sunsolve.sun.com/search/docum...=1-26-102557-1
> http://sunsolve.sun.com/search/docum...=1-26-102648-1
> http://sunsolve.sun.com/search/docum...=1-26-102622-1
>
>
> For non-viral malware...
>
> Please download, install and update the following software...
>
> * Ad-aware SE v1.06
> http://www.lavasoft.de/
> http://www.lavasoftusa.com/
> http://www.lavasoft.de/ms/index.htm
>
> * SpyBot Search and Destroy v1.4
> http://security.kolla.de/
> http://www.safer-networking.org/microsoft.en.html
>
> * SuperAntiSpyware
> http://www.superantispyware.com/supe...freevspro.html
>
> After the software is updated, I suggest scanning the system in Safe Mode.
>
> I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
> that may be on the PC.
>
> * BHODemon
>
> http://www.majorgeeks.com/downloadge...4332b4b8b8442d
>
> For viral malware...
>
> * Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode.
> This way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

mathsgames wrote:

> Thanks to all who replied. My Java in c:\programs\java - one folder only
> - is j2re1.4.2_03 so I guess this is ok.
> My own internet traffic - via AOL - works fine. So I guess my normal IP
> addressing is working - and all my DNS / URL stuff works.
> One extra symptom of this virus -- it seems to have a clock wakeup - after
> about 10 mins of "normal" internet work up pops the rogue window claiming
> to have some top value anti virus software at a killer price. Once I have
> removed the rogue mht file and Registry entries all works fine again --
> until
> another ten minutes have passed. Does this extra infor ring any bells
> please??
>

I guess you didn't see David Lipman's answer. Follow his instructions. Your
Java is badly outdated and you need to clean up your machine. With the
additional information you've provided, I'd also suggest that you run these
specific removal steps also:

http://www.elephantboycomputers.com/...itfraud_Trojan

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

mathsgames wrote:

> Thanks to all who replied. My Java in c:\programs\java - one folder only
> - is j2re1.4.2_03 so I guess this is ok.
> My own internet traffic - via AOL - works fine. So I guess my normal IP
> addressing is working - and all my DNS / URL stuff works.
> One extra symptom of this virus -- it seems to have a clock wakeup - after
> about 10 mins of "normal" internet work up pops the rogue window claiming
> to have some top value anti virus software at a killer price. Once I have
> removed the rogue mht file and Registry entries all works fine again --
> until
> another ten minutes have passed. Does this extra infor ring any bells
> please??
>

I guess you didn't see David Lipman's answer. Follow his instructions. Your
Java is badly outdated and you need to clean up your machine. With the
additional information you've provided, I'd also suggest that you run these
specific removal steps also:

http://www.elephantboycomputers.com/...itfraud_Trojan

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

From: "mathsgames" <mathsgames@discussions.microsoft.com>

| Thanks to all who replied. My Java in c:\programs\java - one folder only -
| is j2re1.4.2_03 so I guess this is ok.
| My own internet traffic - via AOL - works fine. So I guess my normal IP
| addressing is working - and all my DNS / URL stuff works.
| One extra symptom of this virus -- it seems to have a clock wakeup - after
| about 10 mins of "normal" internet work up pops the rogue window claiming to
| have some top value anti virus software at a killer price. Once I have
| removed the rogue mht file and Registry entries all works fine again -- until
| another ten minutes have passed. Does this extra infor ring any bells
| please??
|

No, JRE v4 update 3 [ j2re1.4.2_03 ] is NOT OK. It is falwed with vulnerabilities that are
actively being exploited.

It must be removed ASAP via the Control Panel applet "Add/Remove Programs" and v5 update 10
installed to replace it.

The use the removal tools I suggested as you are still infected and you vulnerable version
of Sun Java may have been exploited to get you infected.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "mathsgames" <mathsgames@discussions.microsoft.com>

| Thanks to all who replied. My Java in c:\programs\java - one folder only -
| is j2re1.4.2_03 so I guess this is ok.
| My own internet traffic - via AOL - works fine. So I guess my normal IP
| addressing is working - and all my DNS / URL stuff works.
| One extra symptom of this virus -- it seems to have a clock wakeup - after
| about 10 mins of "normal" internet work up pops the rogue window claiming to
| have some top value anti virus software at a killer price. Once I have
| removed the rogue mht file and Registry entries all works fine again -- until
| another ten minutes have passed. Does this extra infor ring any bells
| please??
|

No, JRE v4 update 3 [ j2re1.4.2_03 ] is NOT OK. It is falwed with vulnerabilities that are
actively being exploited.

It must be removed ASAP via the Control Panel applet "Add/Remove Programs" and v5 update 10
installed to replace it.

The use the removal tools I suggested as you are still infected and you vulnerable version
of Sun Java may have been exploited to get you infected.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

OK David. I will upgrade my Java and report back. I noticed a proc called
"jusched.exe" in my Startup list. I think this is normally a valid Java
updates scheduler. It may well be timed also. Maybe it is being used by the
Virus.
--
mathsgames


"David H. Lipman" wrote:

> From: "mathsgames" <mathsgames@discussions.microsoft.com>
>
> | Thanks to all who replied. My Java in c:\programs\java - one folder only -
> | is j2re1.4.2_03 so I guess this is ok.
> | My own internet traffic - via AOL - works fine. So I guess my normal IP
> | addressing is working - and all my DNS / URL stuff works.
> | One extra symptom of this virus -- it seems to have a clock wakeup - after
> | about 10 mins of "normal" internet work up pops the rogue window claiming to
> | have some top value anti virus software at a killer price. Once I have
> | removed the rogue mht file and Registry entries all works fine again -- until
> | another ten minutes have passed. Does this extra infor ring any bells
> | please??
> |
>
> No, JRE v4 update 3 [ j2re1.4.2_03 ] is NOT OK. It is falwed with vulnerabilities that are
> actively being exploited.
>
> It must be removed ASAP via the Control Panel applet "Add/Remove Programs" and v5 update 10
> installed to replace it.
>
> The use the removal tools I suggested as you are still infected and you vulnerable version
> of Sun Java may have been exploited to get you infected.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

OK David. I will upgrade my Java and report back. I noticed a proc called
"jusched.exe" in my Startup list. I think this is normally a valid Java
updates scheduler. It may well be timed also. Maybe it is being used by the
Virus.
--
mathsgames


"David H. Lipman" wrote:

> From: "mathsgames" <mathsgames@discussions.microsoft.com>
>
> | Thanks to all who replied. My Java in c:\programs\java - one folder only -
> | is j2re1.4.2_03 so I guess this is ok.
> | My own internet traffic - via AOL - works fine. So I guess my normal IP
> | addressing is working - and all my DNS / URL stuff works.
> | One extra symptom of this virus -- it seems to have a clock wakeup - after
> | about 10 mins of "normal" internet work up pops the rogue window claiming to
> | have some top value anti virus software at a killer price. Once I have
> | removed the rogue mht file and Registry entries all works fine again -- until
> | another ten minutes have passed. Does this extra infor ring any bells
> | please??
> |
>
> No, JRE v4 update 3 [ j2re1.4.2_03 ] is NOT OK. It is falwed with vulnerabilities that are
> actively being exploited.
>
> It must be removed ASAP via the Control Panel applet "Add/Remove Programs" and v5 update 10
> installed to replace it.
>
> The use the removal tools I suggested as you are still infected and you vulnerable version
> of Sun Java may have been exploited to get you infected.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>