Like Ultimate Defender but not UD

Hi,

I'm hoping someone can advise on this. My brother in law - who's the very definition of clueless when it comes to computers - has just called for help in getting rid of some kind of malware. It behaves exactly like Ultimate Defender - infinite alarmist pop-ups promising all manner of plague and pestilence unless he gets protected, his home page has been hijacked, his desktop has been taken over by some hideous bright red background graphic that tells him to get protected, his system's running at a crawl and his CPU usage is maxed out at 100% most of the time. Last time I visited, which was a while ago, I did install the Norton that'd he'd just bought, and the settings still look OK, but somehow this seems to have got through. It's set to run LiveUpdate automatically, and I just got him to run it again, and it says he's fully up to date, The Symantec website seems to indicate that its up to speed with this, and yet its still not finding it. A system scan produced no issues. So I looked at their instructions for removing this.

As instructed, I got him to disable the System Restore, run the suggested LiveUpdate and system scan, and I used a remote assistance connection to try and talk him through the last part of the process, removing the rogue registry entries. Except there aren't any. Ultimate Defender doesn't appear in any way shape or form in the registry, and yet he's still got this problem. So I'm guessing it must be calling itself something else. There didn't look to be anything that stood out as obviously bad news, so has anyone else come across any instances of other programs behaving this way but called something else? It seems like every new pop up directs him to a different type of spyware removal tool, but it wasn't possible to find out whether they all end up at the same product.

He's this close to actually buying whatever it is they're trying to sell him just to make it go away, but I'm guessing that any company that uses tactics like this to get you to buy their product isn't selling you the product that you think you're buying?

Is there any way I can find out what it is, so that I can find out how to get rid of it? And since he seems quite happy to pay to get rid of it, what's the most comprehensive recommended *legitimate* anti-spyware/popup/malware blocker that he might be better spending his money on that would have the best chance of getting rid of it anyway?

Thanks in advance
Brian

 

Thanks for that. it looks like I'm going to have to go to where his PC is and work on it there....he'll never get through all that without getting something wrong!

I tried running the XP Cleaning Procedure on my own PC to make sure I wouldn't get any surprises when I took it to him, and downloaded all the apps (Combofix/Spybot S&D/AVG/MG Tools). When I got to running MGTools (which I did, as instructed, download to to my root folder) I got an error message. The cmd window got as far as

Updating hijackthis.log <188 bytes security> <deflated 70%>

when Windows popped up an error window

ProcessDll.exe Application Error
The Application failed to initialise properly (0xc0000135) Click OK to terminate the application

When I do that, the cmd window comes back with

The system can not find the file specified
Could not find c:\Documents and Settings\Brian\Desktop\procdll.txt
Scanning complete

Is this a problem? Does it mean that the scan didn't actually run? Can I do something about it?

Thanks
Brian