[beebee05]

On 10 Aug we were hit by two worms, caught by AVG antispy, and supposedly fixed. Worm Lover.A took out IE7 explorer.exe wherever it was found. Worm Brontok.CU took out two files in msconfig, one in system32dllcachemsconfig.exe, and the other in pchelpcenterbinariesmsconfig. AVG report said that infections were quarantined, and fixed by backup files. This does not seem to be the case, maybe for a different reason. I picked up a copy of Mozilla Firefox from my daughter, installed it so I could get back to the web. A few hours later I tried to uninstall IE7 as a Windows component, and download a new copy of IE7 from the MS IE7 home page. I clicked download, and in the upper left hand corner of my monitor was a box saying "You have chosen to open (filename) which is a binary file from (issuer). Check yes to continue" I did, and a file downloaded, went through what seemed to be a normal installation cycle, as in deleting files, moving files, etc. However, just before the file began its install, the installer said close down all antispy, AV, and firewalls to prevent faults in the install. Blindly, I did, thinking I was taking direction from Microsoft. Bad mistake. Now my computer is a part of a bot net. I learned this by chance the next day when I was browsing my Noron activity logs, and found in the connections log numerous IP only addresses, with occasional large volumes of traffic. Their start coincided with the time on the 10th when I had installed the spoofed IE7. On the Norton services log it showed changes made to firewall and AV settings, even though those settings were password protected. Also, in place of my Intel PRO 100 network, it showed numerous entries for Loopback Pseudo Interface, or a Teredo Tunneling Pseudo Interface, at an IP address of fe80::ffff:ffff:fffd. I Googled the Teredo line, and found that it was a part of the ipv6 network protocols. I went to a command prompt, and uninstalled ipv6. It worked for a while, but after a couple of hours the traffic came back, but without the weird Pseudo Interface markings. I have posted to the Spybot Forum, and am waiting for their analysys of my HijackThis log. There are many problems here: one, the loss of IE7, the two msconfig files , and a probable virtual bot buried deeply in my computer. My daughter who lives one mile away and is on DSL vice my wireless broadband yesterday was visiting a site, which suggested to her that she download a new version of Flash. It also came out as a binary file, but the Flash program seemed to work well. Is there something new at Microsoft that makes all file downloads now come out with this binary warning? As to the probable virtual bot, based on some recent PC World articles about this, the bot is probably within the Intel chip. My plan is that if I can't figure this out soon with this forum or the Spybot forum, I will probably tke the computer to my friendly computer man and upgrade the CPU (which I have been planning for some time), wipe C drive and start fresh, and hope that the bot is not hiding in the bias or my D drive with all my system restoration files. And if this all works, I think I will install Symantec Antibot, just in case it might help. Any suggestions?

[SpiritWind]

Hi :

Posting on the Spybot Support Forums is a very wise move; they are staffed by usually very

knowledgeable and experienced people; on the rare Chance they can NOT handle your

"Situation", then I recommend the Forums at aumha.net/, which are staffed by several

"Microsoft Most Valuable Professionals" .

However, I feel your Choice of security programs is unwise; I do NOT recommend ANY

Symantec/Norton product or Spybot ; for antiSPYWARE/antiTROJAN programs ( which

include "bots" ), Most experienced, highly trained, CERTIFIED, Volunteer "Malware-

Fighters" recommend : 1) the FREE Ver of "SUPERAntiSpyware" from

[http://www.superantispyware.com/] ; 2) the "FREE" Ver of "MalwareBytes' Anti-Malware",

most easily downloaded from [http://www.malwarebytes.org/mbam.php] .

For an antiVIRUS program, I recommend the FREE Avast Home Edition

( [http://www.avast.com/] ) with Info at [http://www.avast.com/eng/avast4home.html] .

Testing from INDEPENDENT Sources reveal that Norton has a very poor 18%

"Prevention Rate" ; however, IF you decide to "switch", you would need to use the

"Norton Removal Tool" available at various Sites .

And there was no mention as to IF you use a software Firewall, such as Zone Alarm !?

[beebee05]

Yes, I have a software firewall, Norton Internet Security firewall and antivirus, plus Spysweeper, AVG antispy, and Spybot. I have just about decided to do a destructive restoration of my computer and start fresh, and hope that the bot is not hidden in the BIOS or the processor. I still wonder, though, why the downloads come through with the notice that they are binary files. Is this something new with a MS change, or something worm related?

[techie4fun]

On rare occasion do viruses infect the BIOS. Usually after a fresh install you are considered CLEAN. I would suggest heading over to the Spybot forums or Ahuma as Spiritwind suggested as there are no experienced malware removal specialist in this forum, IF you decide not to reinstall Windows.