John Mason Jr <notvalid@cox.net.invalid> wrote in
news:gi49lp$gt2$1@news.motzarella.org:

> Lil' Abner wrote:
>> John Mason Jr <notvalid@cox.net.invalid> wrote in
>> news:gi25pa$vv9$1@news.motzarella.org:
>>
>>> Lil' Abner wrote:
>>>> One of my friends called with a hijack problem and I was able to
>>>> get into his computer remotely with ShowMyPC. Any search you tried
>>>> to do with any search engine would always wind at up at one of
>>>> those phony search pages, I couldn't get to malwarebytes,
>>>> safer-networking, or superantispyware. So I got all the latest
>>>> versions downloaded to my own computer and then transferred them to
>>>> his along with Hijack This. I tried installing each of them in safe
>>>> mode with networking on his computer and was not able to
>>>> successfully install or run any of them. Spyware Doctor was already
>>>> installed but couldn't update and says it won't run until it gets
>>>> the definitions. I'm not quite sure how that got on there but I
>>>> didn't do it. He's bringing it to me tomorrow. It's a Gateway with
>>>> XP SP3. I can do a wipe and recover if necessary but I'd rather not
>>>> if I can get out of it. Any ideas?
>>>>
>>>
>>> A number of things you could try, AFTER MAKING A BACKUP !!!
>>>
>>> 1. Rename the executables
>>>
>>> 2. Use tools in sysinternals suite to id bad stuff and remove
>>> manually
>>>
>>> <http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>>>
>>> 3. Take drive out ad scan with another computer that already has
>>> updated
>>> anti malware software
>>>
>>> 4. Use a rescue disk like F-Secure or Avira
>>> http://www.free-av.com/en/tools/12/a...ue_system.html
>>>
>>> http://www.f-secure.com/linux-weblog...e-rescue-cd-30
>>> 0- released/
>>
>> I downloaded the Avira CD and ran it. It listed a bunch of "warnings"
>> but didn't clean anything. I got the screenshot
>> http://mewnlite.com/phonywarning.gif while running in Safe Mode.
>> It tries to run whether you click yes or cancel or "X".
>> Starts the phont computer scan. So obviously it is one of the
>> Antivirus 2008 variants. The HOSTS file is empty, but I cannot go to
>> any of the antivirus vendors' sites. "Failed to Load the Page".
>> The F-Secure URL is good but when you click on the download the page
>> isn't there (404). I'm still working on it... :-)
>>
>>
> Did you try renaming the executables so they are able to run?
>
> Malwarebytes Anti malware should be able to remove the infection

I finally got the F-Secure thing downloaded and ran it. It didn't find
*anything*. Then I slaved the drive in another machine and ran MBytes on
it. It found... http://mewnlite.com/mbam.gif . Then I put it back and
still no joy. I still don't believe that when I renamed mbam-setup.exe to
mblam.exe it actually installed! And updated. Is that the executable you
meant to rename?
Anyway, I ran it and it found all kinds of good stuff in the registry and
got rid of it. Everything is working normally now. I had to problems
installing HijackThis or SAS after that either.
Thanks to everyone for your help!

--
--- Where did my libigo? ---