911 - computer is without antivirus/spybot/hijack this and can't install

My father called me today desperate for help on his dell laptop. He’s running windows xp home and has been complaining that when he clicks on links in his browser they take him to random sites. He deleted firefox thinking it was just that application that was affected, and that he could get to the site and redownload firefox in ie, but the download button was not there. he can’t download any anitvirus, anti-malware, hijack cleaners, and he can’t defrag! when he talked to the troubleshooters on the phone at shaw and dell today, they had him delete all of his software before they realized he couldn’t reacquire it. now he has no antivirus/spyware stuff, can’t download it, and it actually won’t read off of a disk when i burned it on my computer and tried to install it that way on his.

any advice short of a complete reformat?

sounds like a file redirector
can he look in his HOSTS file and see if there are a lot or redirects there
create a new hosts file
he can rename his hosts file to hosts.bak
easiest way is to saveas hosts.bak then remove all entries from the hosts file

incidentally it is just plain hosts no hosts.txt or hosts.doc
create it with notepad if you have to use another editor you have to RENAME from Hosts.watever to just plain Hosts

include only this line of txt in the new hosts file
127.0.0.1 localhost

another thing you can do is download (on another computer)
DrWEBCUREIT
and
A-Squared - find the usb version on their website
to a usb pen drive
and run from there

any other posters have any ideas?

i’m not sure what a hosts file is, where to find it, or what to be looking for when i do find it. can you walk me through this?

let’s not get into what a hosts file is
you can read up on it later but it comes with all os
you can SEARCH for it and open it with notepad
if it is too big to open with notepad then save as a txt file then RENAME without the .txt after you save
it is in different places with various operating systems
the string I posted last time identifies the local host and the 127 is YOUR COMPUTER
so when something looks for localhost it goes to YOUR COMPUTER
now if we put a baddie in the host file
say
127.0.0 COOLWEBSEARCH
if someone was to try and go on the internet to Coolwebsearch host would say IT’s on YOUR COMPUTER
and of course IT’s NOT so you would get a SITE NOT FOUND Message and would not get a bunch of crap from COOLWEBSEARCH

conversly if some bad stuff were to insert
127.0.0 www,avast.com you would get an error going to avast
and/or
if they put in
123.007.776 www.avast.com
then avast would Be REDIRECTED to that address - which could be a look alike site

I think you can see the problem if your bank were redirected to a pishing site etc

there are other things that could cause dad’s problem but this is the most common and the others are even worse

when doing the search see if something has made a backup of dad’s hosts file
like hosts.bak or whatever
look at it
if it looks ok rename his hosts to hosts.bad and rename the backup to just plain hosts

good luck
I’m offline in about 10 min

ok. i did a host search, there are 3 different files found in:

\docs and settings\app data\gtekgtupdate\aupdate\channels…automaintenance
\i386
\windows\system32\drivers\etc

can you tell me which one i’m looking to mess with?

well you can peek at all of them in case on can be used as a backup but the last one looks like the one for your os

they all look legit. just one line saying “127.X.X.X localhost” on all of them. they all match.

i think he might be hooped.

Damn
could you PM DavidR and have him look at this thread
just click on his name from one of his posts

Incidentally you are doing all the right things and we will say nice things to your Dad
when the fire is out we’ll get you protected to minimize the chance of this happening again
so stay tuned

David (and other users) don’t answer by PM what should be addressed in forums.
Alerting won’t make me giving priority… we give the help we could, when we could, in the sequence we think is appropriate… but we do the best we can, don’t you think?

You have obviously crossed that barrier and found the HOSTS file/s (there should only be one though, this is the one that should be in use C:\WINDOWS\system32\drivers\etc\hosts here is some more information about it. http://en.wikipedia.org/wiki/Hosts_file

Copy and Paste the HOSTS file contents into a post.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

TECH
I think you are correct
the answer should be in the post
I did not think that you and DavidR were following this post and the area mentioned is something I am not familiar with and I think DavidR just delt wit it in another thread
so I just asked to take a peek at it
thanks