Something new

[Lil' Abner]

One of my friends called with a hijack problem and I was able to get into
his computer remotely with ShowMyPC. Any search you tried to do with any
search engine would always wind at up at one of those phony search pages, I
couldn't get to malwarebytes, safer-networking, or superantispyware. So I
got all the latest versions downloaded to my own computer and then
transferred them to his along with Hijack This. I tried installing each of
them in safe mode with networking on his computer and was not able to
successfully install or run any of them. Spyware Doctor was already
installed but couldn't update and says it won't run until it gets the
definitions. I'm not quite sure how that got on there but I didn't do it.
He's bringing it to me tomorrow. It's a Gateway with XP SP3. I can do a
wipe and recover if necessary but I'd rather not if I can get out of it.
Any ideas?

--
--- Where did my libigo? ---

[John Mason Jr]

Lil' Abner wrote:
> One of my friends called with a hijack problem and I was able to get into
> his computer remotely with ShowMyPC. Any search you tried to do with any
> search engine would always wind at up at one of those phony search pages, I
> couldn't get to malwarebytes, safer-networking, or superantispyware. So I
> got all the latest versions downloaded to my own computer and then
> transferred them to his along with Hijack This. I tried installing each of
> them in safe mode with networking on his computer and was not able to
> successfully install or run any of them. Spyware Doctor was already
> installed but couldn't update and says it won't run until it gets the
> definitions. I'm not quite sure how that got on there but I didn't do it.
> He's bringing it to me tomorrow. It's a Gateway with XP SP3. I can do a
> wipe and recover if necessary but I'd rather not if I can get out of it.
> Any ideas?
>


A number of things you could try, AFTER MAKING A BACKUP !!!

1. Rename the executables

2. Use tools in sysinternals suite to id bad stuff and remove manually

<http://technet.microsoft.com/en-us/sysinternals/default.aspx>

3. Take drive out ad scan with another computer that already has updated
anti malware software

4. Use a rescue disk like F-Secure or Avira
http://www.free-av.com/en/tools/12/a...ue_system.html

http://www.f-secure.com/linux-weblog...-300-released/


John

[Beauregard T. Shagnasty]

Lil' Abner wrote:

> One of my friends called with a hijack problem and I was able to get
> into his computer remotely with ShowMyPC. Any search you tried to do
> with any search engine would always wind at up at one of those phony
> search pages, I couldn't get to malwarebytes, safer-networking, or
> superantispyware. So I got all the latest versions downloaded to my
> own computer and then transferred them to his along with Hijack This.
> I tried installing each of them in safe mode with networking on his
> computer and was not able to successfully install or run any of them.
> Spyware Doctor was already installed but couldn't update and says it
> won't run until it gets the definitions. I'm not quite sure how that
> got on there but I didn't do it. He's bringing it to me tomorrow.
> It's a Gateway with XP SP3. I can do a wipe and recover if necessary
> but I'd rather not if I can get out of it. Any ideas?

5. Edit and view his HOSTS file. Look for legitimate sites that don't
belong there. (Did you run anything from PCButts?)

--
-bts
-Friends don't let friends drive Windows

[Lil' Abner]

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in
news:gi27qa$99p$1@news.motzarella.org:

> Lil' Abner wrote:
>
>> One of my friends called with a hijack problem and I was able to get
>> into his computer remotely with ShowMyPC. Any search you tried to do
>> with any search engine would always wind at up at one of those phony
>> search pages, I couldn't get to malwarebytes, safer-networking, or
>> superantispyware. So I got all the latest versions downloaded to my
>> own computer and then transferred them to his along with Hijack This.
>> I tried installing each of them in safe mode with networking on his
>> computer and was not able to successfully install or run any of them.
>> Spyware Doctor was already installed but couldn't update and says it
>> won't run until it gets the definitions. I'm not quite sure how that
>> got on there but I didn't do it. He's bringing it to me tomorrow.
>> It's a Gateway with XP SP3. I can do a wipe and recover if necessary
>> but I'd rather not if I can get out of it. Any ideas?
>
> 5. Edit and view his HOSTS file. Look for legitimate sites that don't
> belong there. (Did you run anything from PCButts?)
>

I forgot to mention that I looked at the HOSTS file. It's OK.
And NO! :-)

--
--- Where did my libigo? ---

[The Real Truth MVP]

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm



--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/




"Lil' Abner" <blvstk@dogpatch.com> wrote in message
news:Xns9B741684B28B5butter@wefb973cbe498...
> "Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in
> news:gi27qa$99p$1@news.motzarella.org:
>
>> Lil' Abner wrote:
>>
>>> One of my friends called with a hijack problem and I was able to get
>>> into his computer remotely with ShowMyPC. Any search you tried to do
>>> with any search engine would always wind at up at one of those phony
>>> search pages, I couldn't get to malwarebytes, safer-networking, or
>>> superantispyware. So I got all the latest versions downloaded to my
>>> own computer and then transferred them to his along with Hijack This.
>>> I tried installing each of them in safe mode with networking on his
>>> computer and was not able to successfully install or run any of them.
>>> Spyware Doctor was already installed but couldn't update and says it
>>> won't run until it gets the definitions. I'm not quite sure how that
>>> got on there but I didn't do it. He's bringing it to me tomorrow.
>>> It's a Gateway with XP SP3. I can do a wipe and recover if necessary
>>> but I'd rather not if I can get out of it. Any ideas?
>>
>> 5. Edit and view his HOSTS file. Look for legitimate sites that don't
>> belong there. (Did you run anything from PCButts?)
>>
>
> I forgot to mention that I looked at the HOSTS file. It's OK.
> And NO! :-)
>
> --
> --- Where did my libigo? ---

[Lil' Abner]

John Mason Jr <notvalid@cox.net.invalid> wrote in
news:gi25pa$vv9$1@news.motzarella.org:

> Lil' Abner wrote:
>> One of my friends called with a hijack problem and I was able to get
>> into his computer remotely with ShowMyPC. Any search you tried to do
>> with any search engine would always wind at up at one of those phony
>> search pages, I couldn't get to malwarebytes, safer-networking, or
>> superantispyware. So I got all the latest versions downloaded to my
>> own computer and then transferred them to his along with Hijack This.
>> I tried installing each of them in safe mode with networking on his
>> computer and was not able to successfully install or run any of them.
>> Spyware Doctor was already installed but couldn't update and says it
>> won't run until it gets the definitions. I'm not quite sure how that
>> got on there but I didn't do it. He's bringing it to me tomorrow.
>> It's a Gateway with XP SP3. I can do a wipe and recover if necessary
>> but I'd rather not if I can get out of it. Any ideas?
>>
>
>
> A number of things you could try, AFTER MAKING A BACKUP !!!
>
> 1. Rename the executables
>
> 2. Use tools in sysinternals suite to id bad stuff and remove manually
>
><http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>
> 3. Take drive out ad scan with another computer that already has
> updated
> anti malware software
>
> 4. Use a rescue disk like F-Secure or Avira
> http://www.free-av.com/en/tools/12/a...ue_system.html
>
> http://www.f-secure.com/linux-weblog...rescue-cd-300-
> released/

I downloaded the Avira CD and ran it. It listed a bunch of "warnings" but
didn't clean anything. I got the screenshot
http://mewnlite.com/phonywarning.gif while running in Safe Mode.
It tries to run whether you click yes or cancel or "X".
Starts the phont computer scan. So obviously it is one of the Antivirus
2008 variants. The HOSTS file is empty, but I cannot go to any of the
antivirus vendors' sites. "Failed to Load the Page".
The F-Secure URL is good but when you click on the download the page isn't
there (404). I'm still working on it... :-)


--
--- Where did my libigo? ---

[John Mason Jr]

Lil' Abner wrote:
> John Mason Jr <notvalid@cox.net.invalid> wrote in
> news:gi25pa$vv9$1@news.motzarella.org:
>
>> Lil' Abner wrote:
>>> One of my friends called with a hijack problem and I was able to get
>>> into his computer remotely with ShowMyPC. Any search you tried to do
>>> with any search engine would always wind at up at one of those phony
>>> search pages, I couldn't get to malwarebytes, safer-networking, or
>>> superantispyware. So I got all the latest versions downloaded to my
>>> own computer and then transferred them to his along with Hijack This.
>>> I tried installing each of them in safe mode with networking on his
>>> computer and was not able to successfully install or run any of them.
>>> Spyware Doctor was already installed but couldn't update and says it
>>> won't run until it gets the definitions. I'm not quite sure how that
>>> got on there but I didn't do it. He's bringing it to me tomorrow.
>>> It's a Gateway with XP SP3. I can do a wipe and recover if necessary
>>> but I'd rather not if I can get out of it. Any ideas?
>>>
>>
>> A number of things you could try, AFTER MAKING A BACKUP !!!
>>
>> 1. Rename the executables
>>
>> 2. Use tools in sysinternals suite to id bad stuff and remove manually
>>
>> <http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>>
>> 3. Take drive out ad scan with another computer that already has
>> updated
>> anti malware software
>>
>> 4. Use a rescue disk like F-Secure or Avira
>> http://www.free-av.com/en/tools/12/a...ue_system.html
>>
>> http://www.f-secure.com/linux-weblog...rescue-cd-300-
>> released/
>
> I downloaded the Avira CD and ran it. It listed a bunch of "warnings" but
> didn't clean anything. I got the screenshot
> http://mewnlite.com/phonywarning.gif while running in Safe Mode.
> It tries to run whether you click yes or cancel or "X".
> Starts the phont computer scan. So obviously it is one of the Antivirus
> 2008 variants. The HOSTS file is empty, but I cannot go to any of the
> antivirus vendors' sites. "Failed to Load the Page".
> The F-Secure URL is good but when you click on the download the page isn't
> there (404). I'm still working on it... :-)
>
>
Did you try renaming the executables so they are able to run?

Malwarebytes Anti malware should be able to remove the infection

[The Real Truth MVP]

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/




"Lil' Abner" <blvstk@dogpatch.com> wrote in message
news:Xns9B74B407E7096butter@wefb973cbe498...
> John Mason Jr <notvalid@cox.net.invalid> wrote in
> news:gi25pa$vv9$1@news.motzarella.org:
>
>> Lil' Abner wrote:
>>> One of my friends called with a hijack problem and I was able to get
>>> into his computer remotely with ShowMyPC. Any search you tried to do
>>> with any search engine would always wind at up at one of those phony
>>> search pages, I couldn't get to malwarebytes, safer-networking, or
>>> superantispyware. So I got all the latest versions downloaded to my
>>> own computer and then transferred them to his along with Hijack This.
>>> I tried installing each of them in safe mode with networking on his
>>> computer and was not able to successfully install or run any of them.
>>> Spyware Doctor was already installed but couldn't update and says it
>>> won't run until it gets the definitions. I'm not quite sure how that
>>> got on there but I didn't do it. He's bringing it to me tomorrow.
>>> It's a Gateway with XP SP3. I can do a wipe and recover if necessary
>>> but I'd rather not if I can get out of it. Any ideas?
>>>
>>
>>
>> A number of things you could try, AFTER MAKING A BACKUP !!!
>>
>> 1. Rename the executables
>>
>> 2. Use tools in sysinternals suite to id bad stuff and remove manually
>>
>><http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>>
>> 3. Take drive out ad scan with another computer that already has
>> updated
>> anti malware software
>>
>> 4. Use a rescue disk like F-Secure or Avira
>> http://www.free-av.com/en/tools/12/a...ue_system.html
>>
>> http://www.f-secure.com/linux-weblog...rescue-cd-300-
>> released/
>
> I downloaded the Avira CD and ran it. It listed a bunch of "warnings" but
> didn't clean anything. I got the screenshot
> http://mewnlite.com/phonywarning.gif while running in Safe Mode.
> It tries to run whether you click yes or cancel or "X".
> Starts the phont computer scan. So obviously it is one of the Antivirus
> 2008 variants. The HOSTS file is empty, but I cannot go to any of the
> antivirus vendors' sites. "Failed to Load the Page".
> The F-Secure URL is good but when you click on the download the page isn't
> there (404). I'm still working on it... :-)
>
>
> --
> --- Where did my libigo? ---

[Lil' Abner]

John Mason Jr <notvalid@cox.net.invalid> wrote in
news:gi49lp$gt2$1@news.motzarella.org:

> Lil' Abner wrote:
>> John Mason Jr <notvalid@cox.net.invalid> wrote in
>> news:gi25pa$vv9$1@news.motzarella.org:
>>
>>> Lil' Abner wrote:
>>>> One of my friends called with a hijack problem and I was able to
>>>> get into his computer remotely with ShowMyPC. Any search you tried
>>>> to do with any search engine would always wind at up at one of
>>>> those phony search pages, I couldn't get to malwarebytes,
>>>> safer-networking, or superantispyware. So I got all the latest
>>>> versions downloaded to my own computer and then transferred them to
>>>> his along with Hijack This. I tried installing each of them in safe
>>>> mode with networking on his computer and was not able to
>>>> successfully install or run any of them. Spyware Doctor was already
>>>> installed but couldn't update and says it won't run until it gets
>>>> the definitions. I'm not quite sure how that got on there but I
>>>> didn't do it. He's bringing it to me tomorrow. It's a Gateway with
>>>> XP SP3. I can do a wipe and recover if necessary but I'd rather not
>>>> if I can get out of it. Any ideas?
>>>>
>>>
>>> A number of things you could try, AFTER MAKING A BACKUP !!!
>>>
>>> 1. Rename the executables
>>>
>>> 2. Use tools in sysinternals suite to id bad stuff and remove
>>> manually
>>>
>>> <http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>>>
>>> 3. Take drive out ad scan with another computer that already has
>>> updated
>>> anti malware software
>>>
>>> 4. Use a rescue disk like F-Secure or Avira
>>> http://www.free-av.com/en/tools/12/a...ue_system.html
>>>
>>> http://www.f-secure.com/linux-weblog...e-rescue-cd-30
>>> 0- released/
>>
>> I downloaded the Avira CD and ran it. It listed a bunch of "warnings"
>> but didn't clean anything. I got the screenshot
>> http://mewnlite.com/phonywarning.gif while running in Safe Mode.
>> It tries to run whether you click yes or cancel or "X".
>> Starts the phont computer scan. So obviously it is one of the
>> Antivirus 2008 variants. The HOSTS file is empty, but I cannot go to
>> any of the antivirus vendors' sites. "Failed to Load the Page".
>> The F-Secure URL is good but when you click on the download the page
>> isn't there (404). I'm still working on it... :-)
>>
>>
> Did you try renaming the executables so they are able to run?
>
> Malwarebytes Anti malware should be able to remove the infection

I finally got the F-Secure thing downloaded and ran it. It didn't find
*anything*. Then I slaved the drive in another machine and ran MBytes on
it. It found... http://mewnlite.com/mbam.gif . Then I put it back and
still no joy. I still don't believe that when I renamed mbam-setup.exe to
mblam.exe it actually installed! And updated. Is that the executable you
meant to rename?
Anyway, I ran it and it found all kinds of good stuff in the registry and
got rid of it. Everything is working normally now. I had to problems
installing HijackThis or SAS after that either.
Thanks to everyone for your help!

--
--- Where did my libigo? ---

[ionus]

u got a predicament my friend srry i dont know. then again im no IT or network tech. from the common mans point of view id place as a secondary with a known good HDD then run scans on it from there (id make sure nothing critical is on the new primary in case of cross drive infections). if u do get a great 5star firewall and block all network traffic too see what happens.