Jump to content


Photo

Spyware Kept Installing-Here's how I fixed it.


  • Please log in to reply
13 replies to this topic

#1 jeff891

jeff891

    Member

  • New Member
  • Pip
  • 4 posts

Posted 27 June 2004 - 02:29 PM

I had the same problem many other on here seem to have with the Spyware seeming to reinstall itself. Hijack This, Adaware, Spybot Search and Destroy, and Spyware Guard all detected the problem when it occured, but could not solve the root problem.

I found a freeware program on another site on Friday, and to this point, my system has been running clean.

The program is called sphjfix.exe, and it was created by two German companies and is posted in a German spyware forum. When you run the program, if your computer is set up for english, the program is in English.

The link is: http://www.trojaner-...bout_blank.html

It worked for me, after dealing with this problems for the last 3 or 4 weeks, hoefully you all will have similar success, good luck.

#2 trousers

trousers

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 June 2004 - 02:46 PM

cheers for the advice - however, have just tried clicking on the sphjfix.exe link on the german website mentioned and, lo and behold, get presented with the infamous 'about:blank' webpage....!

#3 jeff891

jeff891

    Member

  • New Member
  • Pip
  • 4 posts

Posted 27 June 2004 - 02:50 PM

Hmm, that is a problem. I am by no means an expert, but perhaps if you run CWShredder, it will clean your system long enough to be able to download the sphjfix.exe before it reinstalls itself?

#4 SilentThunder

SilentThunder

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 June 2004 - 02:54 PM

I was able to click on the link above and was able to download and run the program. However, it appears as if sphjfix.exe only works on the variant of the program that hijacks your homepage to sp.html . The variant that I have hijackes is to another page, and when I run sphjfix.exe it tells me that I'm not infected. It would be interesting to have someone else with the "Hijacked to sp.html" problem try this sifx and re-post to tell us whether or not it works for them

#5 trousers

trousers

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 June 2004 - 02:55 PM

Hi Jeff - I think I must have the 'cleverest' varaint of CWS going as it looks like it is also stopping me downloading the likes of cwsshredder, hijackthis etc. Spyware that doesn;t let you get hold of the things that help to kill it. Didn't George Orwell write something about this once upon a time....?!

So, simple question to everyone out there...how do you kill off a virus that blocks you getting hold of the antedotes.....?!!

cheers,
Martin

#6 jeff891

jeff891

    Member

  • New Member
  • Pip
  • 4 posts

Posted 27 June 2004 - 03:00 PM

Martin, I could try to email you the adaware program, but it is over 2MB, and not sure if you could get it.

#7 Censored

Censored

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 June 2004 - 03:21 PM

I just wanted to give an advice, one which most probably know, but just in case..

I too had this damn ://().dll hijacker, and after searching the net I ended up very quickly right here. At first I tried deleting the clones myself, but alas that (obviously) didn't do the trick.

So, I downloaded Filemon and Regmon and HijackThis, and started XP in safe mode (F8 in the beginning). Now, since I wasn't sure which files are the infected ones and which not, I moved every file I thought infected to a seperate directory on a seperate HD, thus cleaning my windows\, windows\system32 directories. While in Safe mode, I used Filemon and the Task manager to make sure nothing's happening. After starting IE a few times and seeing it okay, I stumbled over two files in the system32 directory.. ntoskrnl.exe and ntkrnlpa.exe (or something). Now, I'm not an expert in Weirdoze architecture, and I decided to execute them in - if it's infected, I'll see what new files it spawns through Filemon. Alas, they didn't start and a box came up "Error executing program".

I'll cut it short here - Windows didn't come up the next time because I deleted (moved) those files, which happened to be very important ones, to a different location. I had to boot from the Windows Setup CD and the only option I had there was "repair" which gave me access only to root drives and C:\windows + subfolders.. darn! I had to reinstall Windows completely, plus reactive it through the telephone..

My points are:

1) if you're doing that same technique of moving suspicious files to a different directory, make SURE it's in a directory under c:\windows!
2) remember, if all goes bad you can always boot from the Windows CD - you don't necessarily have to reinstall it all, and can copy the files back (only if it's in a directory as directed above). You might need to change Bios settings to do that.
3) this (I guess mine was the standrad variant) hijacker plants itself mostly in the registry\run, \windows, \windows\system32, services, so remember to go over everything
4) I found this discussion by rd_syringe VERY helpful; I suggest you read it as all other pinned topics - http://www.spywarein...?showtopic=7447.
5) make sure you turn System Restore on right now, if you're still not infected!

Good luck!

#8 trousers

trousers

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 June 2004 - 03:22 PM

Hi Jeff - I think I'm able to receive emails up to 5mb through my ISP, however...

I already have adaware version 6 - when I run this, it detects three CWS entities and proceeds to delete them (or so it would seem). But running the scan a matter of seconds later and CWS is back.

One thing I tried doing with adaware was to download the 22nd June version of the 'reference file' (I've got a 15th June version) but it wouldn;t download - I'm assuming it is CWS that is clever enogh to block this update....?

From reading various info on the subject, I think what I need more than anything is cwsshredder but again, my download access is blocked. Is this something that is emailable ?

But even if I get hold of cwsshredder, what's the betting that is won't kill off my variant....(excuse my pessimism !!)

Cheers again,
Martin

#9 SilentThunder

SilentThunder

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 June 2004 - 03:51 PM

I don't know about the variant that you have, but the one that I have is immune to Ad-Aware 6.0 with the June 22 update, WebRoot SpySweeper, and HijackThis. All three of these programs will find the CWS program and delete what they think is all of it, but within almost no taime at all if I run another scan it's all right back. If I download and run the latest version of CWS Shredder, it can't even find any evidence of the CWS bug at all. I've found that when you run the Ad-Aware, if you look closely it will find an executable file and you have to go under the "Processes" tab of the task manager and shut that executable down before you Have Ad-Aware remove everything or it will be unable to remove the executable file. But even if you do all this and remove the executable file, the next time you reboot the computer and run an Ad-Aware scan is finds another executable file doing the exact same thing, except the file is named differently.

#10 jeff891

jeff891

    Member

  • New Member
  • Pip
  • 4 posts

Posted 27 June 2004 - 03:58 PM

Martin, I can try to email cwshredder to you. Just give me your email address.

#11 trousers

trousers

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 June 2004 - 01:25 PM

Hi again Jeff - thanks for the kind offer but....famous last words....I think I've cracked it by following some of the instructions in the thread as linked in this thread by 'censored'.

It looks like my notepad.exe had been infiltrated. Trying to delete all traces of Notepad initially failed miserably (including deletiing all registry entries of the notepad that were in C:/windows (rather than C:/windows/system32) but the key to it all seemed to be the advice to start up and do stuff in 'safemode'. I was then able to eradicate the rogue notepad.exe without it 'reinventing' itself.

I then followed the advise to delete any dodgy looking DLLs/EXEs (I only deleted one or two that had the offending date/time that the problem first occured last Thursday.

Rebooted, ran adaware, then hey presto...no reoccurring CWS....Hoorah !

As I say, probably famous last words ! But have been clear for 24 hours now...seems like a lifetime.

I know people have said it before, but huge thanks to the 'big family' here on this message board for all the help and hints - it's great that everyone is pulling together on this one.

It just leaves me with a fear that someone somewhere is soon going to write one of these things that prevents you getting on the internet at all to get such advice. What happens then....?!

Cheers again,
Martin

#12 ws_chef

ws_chef

    Member

  • New Member
  • Pip
  • 1 posts

Posted 06 July 2004 - 01:41 AM

My PC was infected by about:blank spyware. This hijack program sets my IE browser home page to sp.html which resides in temp directory.

HijackThis and CWSshedder can get rid of it temporarily. However, if I start up outlook express or I use IE to go to a mis-typed webpage, the spyware program will hijack my home page again with this sp.html. Worest, this hijack program even screwed up my anti-virsus program (Norton) and blocks me from install anti-virus programs and windows lastest security update.

SpHjfix.exe did help me to get rid of the spyware completely. I am able to re-install anti-virus and update windows' last patch.

In addition, I manually un-installed outlook express. I am using mozilla browser from now on.

#13 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 26 July 2004 - 12:10 AM

Have you run About:Buster?
http://forums.spywar...showtopic=12609

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#14 JayHubbell

JayHubbell

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 26 July 2004 - 02:03 AM

http://www.javacools...areblaster.html

The one thing that seems to have worked for me is Spywareblaster. I tried all the other freeware tools and this one seems to work to permanently disable about:blank. They apparently disable it by adding what they refer to as kill bits to keep it from executing. Since i'm tech challenged it was the optimal solution for me since I did not have to diddle with the registry or go through all the angst of screwing up somethng vital. So far, so good.

Also, Norton has been intercepting and removing something called the Bookmark Trojan. It seems to get removed almost every time I re-boot. I'm not sure where it is coming from or if it is connected to the about:blank problem. Seems to be just a minor annoyance.

I had Spywareblaster installed before this about:blank pest invaded. Something attacked the Spywareblaster and would not let me re-install it for a long time (a month?). Perhaps the new version of SpywareBlaster is one that is resistent to such an attack or installation.

I'm grateful to the developers and have tried repeatedly to go to their donation site but I always get an error message that they have used up all their bandwidth. What's with that?

And by BTW, I happened on a page about a patch available for Mozilla/Firefox to resolve security issues. The conspicuoulsy wealthy greed heads running IE don't seem to give a fig about security. It seems the masses are abandoning IE in droves. Yeah to all you tech folks with world communitarian spirits!

:itok:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button