Spyware Kept Installing-Here's how I fixed it.
Posted 27 June 2004 - 02:29 PM
I found a freeware program on another site on Friday, and to this point, my system has been running clean.
The program is called sphjfix.exe, and it was created by two German companies and is posted in a German spyware forum. When you run the program, if your computer is set up for english, the program is in English.
The link is: http://www.trojaner-...bout_blank.html
It worked for me, after dealing with this problems for the last 3 or 4 weeks, hoefully you all will have similar success, good luck.
Posted 27 June 2004 - 02:46 PM
Posted 27 June 2004 - 02:50 PM
Posted 27 June 2004 - 02:54 PM
Posted 27 June 2004 - 02:55 PM
So, simple question to everyone out there...how do you kill off a virus that blocks you getting hold of the antedotes.....?!!
Posted 27 June 2004 - 03:00 PM
Posted 27 June 2004 - 03:21 PM
I too had this damn ://().dll hijacker, and after searching the net I ended up very quickly right here. At first I tried deleting the clones myself, but alas that (obviously) didn't do the trick.
So, I downloaded Filemon and Regmon and HijackThis, and started XP in safe mode (F8 in the beginning). Now, since I wasn't sure which files are the infected ones and which not, I moved every file I thought infected to a seperate directory on a seperate HD, thus cleaning my windows\, windows\system32 directories. While in Safe mode, I used Filemon and the Task manager to make sure nothing's happening. After starting IE a few times and seeing it okay, I stumbled over two files in the system32 directory.. ntoskrnl.exe and ntkrnlpa.exe (or something). Now, I'm not an expert in Weirdoze architecture, and I decided to execute them in - if it's infected, I'll see what new files it spawns through Filemon. Alas, they didn't start and a box came up "Error executing program".
I'll cut it short here - Windows didn't come up the next time because I deleted (moved) those files, which happened to be very important ones, to a different location. I had to boot from the Windows Setup CD and the only option I had there was "repair" which gave me access only to root drives and C:\windows + subfolders.. darn! I had to reinstall Windows completely, plus reactive it through the telephone..
My points are:
1) if you're doing that same technique of moving suspicious files to a different directory, make SURE it's in a directory under c:\windows!
2) remember, if all goes bad you can always boot from the Windows CD - you don't necessarily have to reinstall it all, and can copy the files back (only if it's in a directory as directed above). You might need to change Bios settings to do that.
3) this (I guess mine was the standrad variant) hijacker plants itself mostly in the registry\run, \windows, \windows\system32, services, so remember to go over everything
4) I found this discussion by rd_syringe VERY helpful; I suggest you read it as all other pinned topics - http://www.spywarein...?showtopic=7447.
5) make sure you turn System Restore on right now, if you're still not infected!
Posted 27 June 2004 - 03:22 PM
I already have adaware version 6 - when I run this, it detects three CWS entities and proceeds to delete them (or so it would seem). But running the scan a matter of seconds later and CWS is back.
One thing I tried doing with adaware was to download the 22nd June version of the 'reference file' (I've got a 15th June version) but it wouldn;t download - I'm assuming it is CWS that is clever enogh to block this update....?
From reading various info on the subject, I think what I need more than anything is cwsshredder but again, my download access is blocked. Is this something that is emailable ?
But even if I get hold of cwsshredder, what's the betting that is won't kill off my variant....(excuse my pessimism !!)
Posted 27 June 2004 - 03:51 PM
Posted 27 June 2004 - 03:58 PM
Posted 28 June 2004 - 01:25 PM
It looks like my notepad.exe had been infiltrated. Trying to delete all traces of Notepad initially failed miserably (including deletiing all registry entries of the notepad that were in C:/windows (rather than C:/windows/system32) but the key to it all seemed to be the advice to start up and do stuff in 'safemode'. I was then able to eradicate the rogue notepad.exe without it 'reinventing' itself.
I then followed the advise to delete any dodgy looking DLLs/EXEs (I only deleted one or two that had the offending date/time that the problem first occured last Thursday.
Rebooted, ran adaware, then hey presto...no reoccurring CWS....Hoorah !
As I say, probably famous last words ! But have been clear for 24 hours now...seems like a lifetime.
I know people have said it before, but huge thanks to the 'big family' here on this message board for all the help and hints - it's great that everyone is pulling together on this one.
It just leaves me with a fear that someone somewhere is soon going to write one of these things that prevents you getting on the internet at all to get such advice. What happens then....?!
Posted 06 July 2004 - 01:41 AM
HijackThis and CWSshedder can get rid of it temporarily. However, if I start up outlook express or I use IE to go to a mis-typed webpage, the spyware program will hijack my home page again with this sp.html. Worest, this hijack program even screwed up my anti-virsus program (Norton) and blocks me from install anti-virus programs and windows lastest security update.
SpHjfix.exe did help me to get rid of the spyware completely. I am able to re-install anti-virus and update windows' last patch.
In addition, I manually un-installed outlook express. I am using mozilla browser from now on.
Posted 26 July 2004 - 02:03 AM
The one thing that seems to have worked for me is Spywareblaster. I tried all the other freeware tools and this one seems to work to permanently disable about:blank. They apparently disable it by adding what they refer to as kill bits to keep it from executing. Since i'm tech challenged it was the optimal solution for me since I did not have to diddle with the registry or go through all the angst of screwing up somethng vital. So far, so good.
Also, Norton has been intercepting and removing something called the Bookmark Trojan. It seems to get removed almost every time I re-boot. I'm not sure where it is coming from or if it is connected to the about:blank problem. Seems to be just a minor annoyance.
I had Spywareblaster installed before this about:blank pest invaded. Something attacked the Spywareblaster and would not let me re-install it for a long time (a month?). Perhaps the new version of SpywareBlaster is one that is resistent to such an attack or installation.
I'm grateful to the developers and have tried repeatedly to go to their donation site but I always get an error message that they have used up all their bandwidth. What's with that?
And by BTW, I happened on a page about a patch available for Mozilla/Firefox to resolve security issues. The conspicuoulsy wealthy greed heads running IE don't seem to give a fig about security. It seems the masses are abandoning IE in droves. Yeah to all you tech folks with world communitarian spirits!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users