Possible Malware or Worm... Task Manager and Hijackthis being killed 3

[TheTuna]

My friends PC has something (worm or malware) killing task manager and hijack this.

He's in Dallas, I'm in Houston, so I remoted his PC to try and remove some spyware for him.

Grabbed Hijackthis and Spybot S&D. First tried to run Hijack... it wouldn't start up. So I tried to view the task manager and it wouldn't start up either.

Renamed the hijackthis.exe to Jackthis.exe and it ran fine. There is something called pedot.exe that shows up in 5 different places. I don't know what this one is, so naturally, I suspect it's the culprit. I remove it in all 5 places and run hijack again. all 5 are back again. hmmmm

Since I can't kill or even SEE what's running, I can't fix it. Any ideas?

BTW, spybot removed 90 items!

I don't have a hijack log at this time due to location.

Thanks!

No Dolphins were harmed in the posting of this message... Dolphin Friendly Tuna!

Ever feel like you're banging your head against a tree? I did, so I cut down the tree.

 

[gpalmer711]

Get him to boot into safe mode with networking - then run 2 of the online scanners from What are Good Virus/Spyware?Update/Firewall Practices? faq779-5240

While in safe mode run Spybot, Adaware and Hijack This.

Should clear it up for him.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[smah]

Try running the CWS.SmartKiller utility.

 

[tbrennans]

Also check hklm| software| microsoft| current version| run see if whats reloading it is in there and get rid of it.

 

[blackrabbit]

I had the same problem just recently. I got a worm but can't remember the name. I couldn't open task manager or regedit or even cmd, even my antivirus software wouldn't work right. I tried everyhting but finally got fed up and reformatted and reinstalled windows. luckily it was a corporate laptop and everything was stored on servers and not local.

 

[bcastner]

You do not have to reformat for this problem. There are several workarounds suggested here:

http://www.mvps.org/sramesh2k/ToolsQuit.htm

 

[TheTuna]

Thanks for all the suggestions...

In the end, what I did was rename taskmgr.exe to taskmanager.exe and was able to kill the offending program.

pedot.exe was it's name...

Thanks again.
Tuna





No Dolphins were harmed in the posting of this message... Dolphin Friendly Tuna!

Ever feel like you're banging your head against a tree? I did, so I cut down the tree.

 

[bcastner]

Tuna,

You are not done by any means with this problem.

Follow the advice above about a thorough malware scan and clean.

This would include at least two onlinve AV scans, as member smah recommended above. Additional details of how to use other utilities to ensure a clean system are available from gpalmer711 in faq779-5240 and my contribution faq608-4650

 

[micker377]

I didn't see anyone say to turn off sys restore first.

 

[bcastner]

micker377,

In big bold letters of both faq608-4650 and faq779-5240 both referenced above.

But you are right to raise the issue. Just do not forget to re-enable once the cleanup is done.

 

[TheTuna]

Thanks again for the excellent advice!

No Dolphins were harmed in the posting of this message... Dolphin Friendly Tuna!

Ever feel like you're banging your head against a tree? I did, so I cut down the tree.