John Mason Jr <notvalid@cox.net.invalid> wrote in
news:gi6ejd$s0m$1@news.motzarella.org:

> Lil' Abner wrote:
>> John Mason Jr <notvalid@cox.net.invalid> wrote in
>> news:gi49lp$gt2$1@news.motzarella.org:
>>
>>> Lil' Abner wrote:
>>>> John Mason Jr <notvalid@cox.net.invalid> wrote in
>>>> news:gi25pa$vv9$1@news.motzarella.org:
>>>>
>>>>> Lil' Abner wrote:
>>>>>> One of my friends called with a hijack problem and I was able to
>>>>>> get into his computer remotely with ShowMyPC. Any search you
>>>>>> tried to do with any search engine would always wind at up at one
>>>>>> of those phony search pages, I couldn't get to malwarebytes,
>>>>>> safer-networking, or superantispyware. So I got all the latest
>>>>>> versions downloaded to my own computer and then transferred them
>>>>>> to his along with Hijack This. I tried installing each of them in
>>>>>> safe mode with networking on his computer and was not able to
>>>>>> successfully install or run any of them. Spyware Doctor was
>>>>>> already installed but couldn't update and says it won't run until
>>>>>> it gets the definitions. I'm not quite sure how that got on there
>>>>>> but I didn't do it. He's bringing it to me tomorrow. It's a
>>>>>> Gateway with XP SP3. I can do a wipe and recover if necessary but
>>>>>> I'd rather not if I can get out of it. Any ideas?
>>>>>>
>>>>> A number of things you could try, AFTER MAKING A BACKUP !!!
>>>>>
>>>>> 1. Rename the executables
>>>>>
>>>>> 2. Use tools in sysinternals suite to id bad stuff and remove
>>>>> manually
>>>>>
>>>>> <http://technet.microsoft.com/en-us/sysinternals/default.aspx>
>>>>>
>>>>> 3. Take drive out ad scan with another computer that already has
>>>>> updated
>>>>> anti malware software
>>>>>
>>>>> 4. Use a rescue disk like F-Secure or Avira
>>>>> http://www.free-av.com/en/tools/12/a...ue_system.html
>>>>>
>>>>> http://www.f-secure.com/linux-weblog...ure-rescue-cd-
>>>>> 30 0- released/
>>>> I downloaded the Avira CD and ran it. It listed a bunch of
>>>> "warnings" but didn't clean anything. I got the screenshot
>>>> http://mewnlite.com/phonywarning.gif while running in Safe Mode.
>>>> It tries to run whether you click yes or cancel or "X".
>>>> Starts the phont computer scan. So obviously it is one of the
>>>> Antivirus 2008 variants. The HOSTS file is empty, but I cannot go
>>>> to any of the antivirus vendors' sites. "Failed to Load the Page".
>>>> The F-Secure URL is good but when you click on the download the
>>>> page isn't there (404). I'm still working on it... :-)
>>>>
>>>>
>>> Did you try renaming the executables so they are able to run?
>>>
>>> Malwarebytes Anti malware should be able to remove the infection
>>
>> I finally got the F-Secure thing downloaded and ran it. It didn't
>> find *anything*. Then I slaved the drive in another machine and ran
>> MBytes on it. It found... http://mewnlite.com/mbam.gif . Then I put
>> it back and still no joy. I still don't believe that when I renamed
>> mbam-setup.exe to mblam.exe it actually installed! And updated. Is
>> that the executable you meant to rename?
>> Anyway, I ran it and it found all kinds of good stuff in the registry
>> and got rid of it. Everything is working normally now. I had to
>> problems installing HijackThis or SAS after that either.
>> Thanks to everyone for your help!
>
> Yes that was it, there is a bunch of malware out there that does a
> simple check for the name of the executable, to prevent it from
> running.

I'm curious as to how the malware blocked access to all the antivirus and
antimalware sites. They were not in the HOSTS file. I searched the
registry for "symantec" and "trendmicro" and didn't get any hints. IE had
no sites on the blocked list. Firefox and IE displayed the same behavior.
After I got it cleaned up, there was no problem.


--
--- Where did my libigo? ---