Lil' Abner wrote:
> John Mason Jr <notvalid@cox.net.invalid> wrote in
> news:gi49lp$gt2$1@news.motzarella.org:
>
>> Lil' Abner wrote:
>>> John Mason Jr <notvalid@cox.net.invalid> wrote in
>>> news:gi25pa$vv9$1@news.motzarella.org:
>>>
>>>> Lil' Abner wrote:
>>>>> One of my friends called with a hijack problem and I was able to
>>>>> get into his computer remotely with ShowMyPC. Any search you tried
>>>>> to do with any search engine would always wind at up at one of
>>>>> those phony search pages, I couldn't get to malwarebytes,
>>>>> safer-networking, or superantispyware. So I got all the latest
>>>>> versions downloaded to my own computer and then transferred them to
>>>>> his along with Hijack This. I tried installing each of them in safe
>>>>> mode with networking on his computer and was not able to
>>>>> successfully install or run any of them. Spyware Doctor was already
>>>>> installed but couldn't update and says it won't run until it gets
>>>>> the definitions. I'm not quite sure how that got on there but I
>>>>> didn't do it. He's bringing it to me tomorrow. It's a Gateway with
>>>>> XP SP3. I can do a wipe and recover if necessary but I'd rather not
>>>>> if I can get out of it. Any ideas?
>>>>>
>>>> A number of things you could try, AFTER MAKING A BACKUP !!!
>>>>
>>>> 1. Rename the executables
>>>>
>>>> 2. Use tools in sysinternals suite to id bad stuff and remove
>>>> manually
>>>>
>>>> <http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>>>>
>>>> 3. Take drive out ad scan with another computer that already has
>>>> updated
>>>> anti malware software
>>>>
>>>> 4. Use a rescue disk like F-Secure or Avira
>>>> http://www.free-av.com/en/tools/12/a...ue_system.html
>>>>
>>>> http://www.f-secure.com/linux-weblog...e-rescue-cd-30
>>>> 0- released/
>>> I downloaded the Avira CD and ran it. It listed a bunch of "warnings"
>>> but didn't clean anything. I got the screenshot
>>> http://mewnlite.com/phonywarning.gif while running in Safe Mode.
>>> It tries to run whether you click yes or cancel or "X".
>>> Starts the phont computer scan. So obviously it is one of the
>>> Antivirus 2008 variants. The HOSTS file is empty, but I cannot go to
>>> any of the antivirus vendors' sites. "Failed to Load the Page".
>>> The F-Secure URL is good but when you click on the download the page
>>> isn't there (404). I'm still working on it... :-)
>>>
>>>
>> Did you try renaming the executables so they are able to run?
>>
>> Malwarebytes Anti malware should be able to remove the infection
>
> I finally got the F-Secure thing downloaded and ran it. It didn't find
> *anything*. Then I slaved the drive in another machine and ran MBytes on
> it. It found... http://mewnlite.com/mbam.gif . Then I put it back and
> still no joy. I still don't believe that when I renamed mbam-setup.exe to
> mblam.exe it actually installed! And updated. Is that the executable you
> meant to rename?
> Anyway, I ran it and it found all kinds of good stuff in the registry and
> got rid of it. Everything is working normally now. I had to problems
> installing HijackThis or SAS after that either.
> Thanks to everyone for your help!

Yes that was it, there is a bunch of malware out there that does a
simple check for the name of the executable, to prevent it from running.


John