Something new

[John Mason Jr]

Lil' Abner wrote:
> John Mason Jr <notvalid@cox.net.invalid> wrote in
> news:gi49lp$gt2$1@news.motzarella.org:
>
>> Lil' Abner wrote:
>>> John Mason Jr <notvalid@cox.net.invalid> wrote in
>>> news:gi25pa$vv9$1@news.motzarella.org:
>>>
>>>> Lil' Abner wrote:
>>>>> One of my friends called with a hijack problem and I was able to
>>>>> get into his computer remotely with ShowMyPC. Any search you tried
>>>>> to do with any search engine would always wind at up at one of
>>>>> those phony search pages, I couldn't get to malwarebytes,
>>>>> safer-networking, or superantispyware. So I got all the latest
>>>>> versions downloaded to my own computer and then transferred them to
>>>>> his along with Hijack This. I tried installing each of them in safe
>>>>> mode with networking on his computer and was not able to
>>>>> successfully install or run any of them. Spyware Doctor was already
>>>>> installed but couldn't update and says it won't run until it gets
>>>>> the definitions. I'm not quite sure how that got on there but I
>>>>> didn't do it. He's bringing it to me tomorrow. It's a Gateway with
>>>>> XP SP3. I can do a wipe and recover if necessary but I'd rather not
>>>>> if I can get out of it. Any ideas?
>>>>>
>>>> A number of things you could try, AFTER MAKING A BACKUP !!!
>>>>
>>>> 1. Rename the executables
>>>>
>>>> 2. Use tools in sysinternals suite to id bad stuff and remove
>>>> manually
>>>>
>>>> <http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>>>>
>>>> 3. Take drive out ad scan with another computer that already has
>>>> updated
>>>> anti malware software
>>>>
>>>> 4. Use a rescue disk like F-Secure or Avira
>>>> http://www.free-av.com/en/tools/12/a...ue_system.html
>>>>
>>>> http://www.f-secure.com/linux-weblog...e-rescue-cd-30
>>>> 0- released/
>>> I downloaded the Avira CD and ran it. It listed a bunch of "warnings"
>>> but didn't clean anything. I got the screenshot
>>> http://mewnlite.com/phonywarning.gif while running in Safe Mode.
>>> It tries to run whether you click yes or cancel or "X".
>>> Starts the phont computer scan. So obviously it is one of the
>>> Antivirus 2008 variants. The HOSTS file is empty, but I cannot go to
>>> any of the antivirus vendors' sites. "Failed to Load the Page".
>>> The F-Secure URL is good but when you click on the download the page
>>> isn't there (404). I'm still working on it... :-)
>>>
>>>
>> Did you try renaming the executables so they are able to run?
>>
>> Malwarebytes Anti malware should be able to remove the infection
>
> I finally got the F-Secure thing downloaded and ran it. It didn't find
> *anything*. Then I slaved the drive in another machine and ran MBytes on
> it. It found... http://mewnlite.com/mbam.gif . Then I put it back and
> still no joy. I still don't believe that when I renamed mbam-setup.exe to
> mblam.exe it actually installed! And updated. Is that the executable you
> meant to rename?
> Anyway, I ran it and it found all kinds of good stuff in the registry and
> got rid of it. Everything is working normally now. I had to problems
> installing HijackThis or SAS after that either.
> Thanks to everyone for your help!

Yes that was it, there is a bunch of malware out there that does a
simple check for the name of the executable, to prevent it from running.


John

[Lil' Abner]

John Mason Jr <notvalid@cox.net.invalid> wrote in
news:gi6ejd$s0m$1@news.motzarella.org:

> Lil' Abner wrote:
>> John Mason Jr <notvalid@cox.net.invalid> wrote in
>> news:gi49lp$gt2$1@news.motzarella.org:
>>
>>> Lil' Abner wrote:
>>>> John Mason Jr <notvalid@cox.net.invalid> wrote in
>>>> news:gi25pa$vv9$1@news.motzarella.org:
>>>>
>>>>> Lil' Abner wrote:
>>>>>> One of my friends called with a hijack problem and I was able to
>>>>>> get into his computer remotely with ShowMyPC. Any search you
>>>>>> tried to do with any search engine would always wind at up at one
>>>>>> of those phony search pages, I couldn't get to malwarebytes,
>>>>>> safer-networking, or superantispyware. So I got all the latest
>>>>>> versions downloaded to my own computer and then transferred them
>>>>>> to his along with Hijack This. I tried installing each of them in
>>>>>> safe mode with networking on his computer and was not able to
>>>>>> successfully install or run any of them. Spyware Doctor was
>>>>>> already installed but couldn't update and says it won't run until
>>>>>> it gets the definitions. I'm not quite sure how that got on there
>>>>>> but I didn't do it. He's bringing it to me tomorrow. It's a
>>>>>> Gateway with XP SP3. I can do a wipe and recover if necessary but
>>>>>> I'd rather not if I can get out of it. Any ideas?
>>>>>>
>>>>> A number of things you could try, AFTER MAKING A BACKUP !!!
>>>>>
>>>>> 1. Rename the executables
>>>>>
>>>>> 2. Use tools in sysinternals suite to id bad stuff and remove
>>>>> manually
>>>>>
>>>>> <http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>>>>>
>>>>> 3. Take drive out ad scan with another computer that already has
>>>>> updated
>>>>> anti malware software
>>>>>
>>>>> 4. Use a rescue disk like F-Secure or Avira
>>>>> http://www.free-av.com/en/tools/12/a...ue_system.html
>>>>>
>>>>> http://www.f-secure.com/linux-weblog...ure-rescue-cd-
>>>>> 30 0- released/
>>>> I downloaded the Avira CD and ran it. It listed a bunch of
>>>> "warnings" but didn't clean anything. I got the screenshot
>>>> http://mewnlite.com/phonywarning.gif while running in Safe Mode.
>>>> It tries to run whether you click yes or cancel or "X".
>>>> Starts the phont computer scan. So obviously it is one of the
>>>> Antivirus 2008 variants. The HOSTS file is empty, but I cannot go
>>>> to any of the antivirus vendors' sites. "Failed to Load the Page".
>>>> The F-Secure URL is good but when you click on the download the
>>>> page isn't there (404). I'm still working on it... :-)
>>>>
>>>>
>>> Did you try renaming the executables so they are able to run?
>>>
>>> Malwarebytes Anti malware should be able to remove the infection
>>
>> I finally got the F-Secure thing downloaded and ran it. It didn't
>> find *anything*. Then I slaved the drive in another machine and ran
>> MBytes on it. It found... http://mewnlite.com/mbam.gif . Then I put
>> it back and still no joy. I still don't believe that when I renamed
>> mbam-setup.exe to mblam.exe it actually installed! And updated. Is
>> that the executable you meant to rename?
>> Anyway, I ran it and it found all kinds of good stuff in the registry
>> and got rid of it. Everything is working normally now. I had to
>> problems installing HijackThis or SAS after that either.
>> Thanks to everyone for your help!
>
> Yes that was it, there is a bunch of malware out there that does a
> simple check for the name of the executable, to prevent it from
> running.

I'm curious as to how the malware blocked access to all the antivirus and
antimalware sites. They were not in the HOSTS file. I searched the
registry for "symantec" and "trendmicro" and didn't get any hints. IE had
no sites on the blocked list. Firefox and IE displayed the same behavior.
After I got it cleaned up, there was no problem.


--
--- Where did my libigo? ---

[Beauregard T. Shagnasty]

Lil' Abner wrote:

> I'm curious as to how the malware blocked access to all the antivirus
> and antimalware sites. They were not in the HOSTS file.

Someone mentioned in one of these groups recently, that some malware
changes the Windows (registry?) pointer to the *location* of the hosts
file, and uses one of its own.

Sorry, I can't find a link at the moment.

--
-bts
-Friends don't let friends drive Windows

[David H. Lipman]

From: "Beauregard T. Shagnasty" <a.nony.mous@example.invalid>

| Lil' Abner wrote:

>> I'm curious as to how the malware blocked access to all the antivirus
>> and antimalware sites. They were not in the HOSTS file.

| Someone mentioned in one of these groups recently, that some malware
| changes the Windows (registry?) pointer to the *location* of the hosts
| file, and uses one of its own.

| Sorry, I can't find a link at the moment.

Registry location:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters
DataBasePath

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Beauregard T. Shagnasty]

David H. Lipman wrote:

> From: "Beauregard T. Shagnasty"
>| Lil' Abner wrote:
>>> I'm curious as to how the malware blocked access to all the
>>> antivirus and antimalware sites. They were not in the HOSTS file.
>
>| Someone mentioned in one of these groups recently, that some malware
>| changes the Windows (registry?) pointer to the *location* of the
>| hosts file, and uses one of its own.
>
>| Sorry, I can't find a link at the moment.
>
> Registry location:
> HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters
> DataBasePath

Well, there ya go. <g> Li'l Abner should see what's there, and report
back.

--
-bts
-Friends don't let friends drive Windows

[Lil' Abner]

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in
news:gi88e4$5jc$1@news.motzarella.org:

> David H. Lipman wrote:
>
>> From: "Beauregard T. Shagnasty"
>>| Lil' Abner wrote:
>>>> I'm curious as to how the malware blocked access to all the
>>>> antivirus and antimalware sites. They were not in the HOSTS file.
>>
>>| Someone mentioned in one of these groups recently, that some malware
>>| changes the Windows (registry?) pointer to the *location* of the
>>| hosts file, and uses one of its own.
>>
>>| Sorry, I can't find a link at the moment.
>>
>> Registry location:
>> HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters
>> DataBasePath
>
> Well, there ya go. <g> Li'l Abner should see what's there, and report
> back.

The computer went back home fixed. But I still have the clone from before I
got it fixed. If it will boot up on my shop machine, I'll take a look. Or
is there a way to read the registry on a slaved drive?

--
--- Where did my libigo? ---