MISS CHIEVOUS
2007-11-17, 23:25
Hi, I'd like firstly to thank SPYBOT for being such a WONDERFUL program. Please don't interpret my remarks as an attack on the authors of this powerful software; I'm just trying to understand why the program remains vulnerable to hijacking. Also, let's acknowledge one fact before we discuss this: SPYBOT is in the business of cleaning up that most notoriously buggy of web browsers --> Microsoft's INTERNET EXPLORER. If I have any anger at my present infected circumstance, Microsoft owns it. SPYBOT didn't create a browser with the unique characteristic of being the World's Welcoming Committee for every species of malware conceivable, Microsoft did. I'd have to be truly mean to criticize SPYBOT for making every effort to clean up a miss it didn't create in the first place. I curse this browser. I only continue to be suffered to use it because, like a cruel joke upon me, it happens to do the best job of rendering my Adobe Acrobat PDF's to look exactly as they are supposed to look. I have no need to upgrade my OS, and so am stuck in the global Hell that Microsoft sends all of us to by not allowing IEx 7 to be backward compatible with Windows 2000. I think that puts the proper perspective on this thread; here's why I'm posting:
Many years ago I used SPYBOT but had to discontinue using it because of a persistent issue the program had with attracting mischief to my Explorer version 6.x. Then, as now, I'm on Windows 2000 Pro, fully service packed, rolled-up and regularly patched. The immediate presence of SPYBOT on my computer coincided with the hijacking of (you guessed it) Explorer 6. I would download only the latest version of SPYBOT, install it to a new build, Immunize, select my properties, and only then upgrade the program. SPYBOT would find the malware, fix it, and immunize me against it . . . and the next day the malware would be right back. I had to install HIJACK THIS to remove it.
So some years later I am disappointed to find that the same thing has happened with a new install. The Trojan I am infected with is the Win32.Small.afk Trojan, which alters your IEx start page to a site in China named nb4f.com.cn, and delivers the following love note to you upon attempting to access IEx's Options:
This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.It installs to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Userinitand scripts a file called lwisys16_071115.dll to run, as follows:
C:\WINNT\system32\inf\svchost.exe C:\WINNT\system32\lwisys16_071115.dll startI assume complete responsibility for the unforgivable oversight of not disabling SCRIPTING in IEx before first installing & updating SPYBOT. This oversight on my part invited the first line of mischief, and it was entirely preventable.
Having said that, I was alarmed that after immunizing myself through SPYBOT this Trojan came right back. Growing increasingly desperate, I ran AVG FREE Anti-Virus . . . which (if anyone doubts what SPYBOT is up against) couldn't even find this Trojan in the first place.
So I did a little research on USENET and discovered that another person had this same issue about a year ago with IEx 6 and its notorious patches and service packs. The gentleman was advised to run HIJACK THIS to fix the Trojan. He did so, but it kept coming back. Having ascertained that my only other reliable fix for a persistent HIJACK attempt -- HIJACK THIS -- was apparently, itself, cracked, I was alarmed to next read -- even at this late date -- a poster who wrote words to the effect that "one of the most popular programs to expose yourself to an IEx HIJACK is SPYBOT."
I haven't downloaded/installed HIJACK THIS because I anticipate having the same experience as this other gentleman. I'll ask this with all the humility I can summon: If neither SPYBOT nor HIJACK THIS can get rid of this Trojan permanently, does this mean I need to completely reinstall my computer?
MISS CHIEVOUS
Many years ago I used SPYBOT but had to discontinue using it because of a persistent issue the program had with attracting mischief to my Explorer version 6.x. Then, as now, I'm on Windows 2000 Pro, fully service packed, rolled-up and regularly patched. The immediate presence of SPYBOT on my computer coincided with the hijacking of (you guessed it) Explorer 6. I would download only the latest version of SPYBOT, install it to a new build, Immunize, select my properties, and only then upgrade the program. SPYBOT would find the malware, fix it, and immunize me against it . . . and the next day the malware would be right back. I had to install HIJACK THIS to remove it.
So some years later I am disappointed to find that the same thing has happened with a new install. The Trojan I am infected with is the Win32.Small.afk Trojan, which alters your IEx start page to a site in China named nb4f.com.cn, and delivers the following love note to you upon attempting to access IEx's Options:
This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.It installs to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Userinitand scripts a file called lwisys16_071115.dll to run, as follows:
C:\WINNT\system32\inf\svchost.exe C:\WINNT\system32\lwisys16_071115.dll startI assume complete responsibility for the unforgivable oversight of not disabling SCRIPTING in IEx before first installing & updating SPYBOT. This oversight on my part invited the first line of mischief, and it was entirely preventable.
Having said that, I was alarmed that after immunizing myself through SPYBOT this Trojan came right back. Growing increasingly desperate, I ran AVG FREE Anti-Virus . . . which (if anyone doubts what SPYBOT is up against) couldn't even find this Trojan in the first place.
So I did a little research on USENET and discovered that another person had this same issue about a year ago with IEx 6 and its notorious patches and service packs. The gentleman was advised to run HIJACK THIS to fix the Trojan. He did so, but it kept coming back. Having ascertained that my only other reliable fix for a persistent HIJACK attempt -- HIJACK THIS -- was apparently, itself, cracked, I was alarmed to next read -- even at this late date -- a poster who wrote words to the effect that "one of the most popular programs to expose yourself to an IEx HIJACK is SPYBOT."
I haven't downloaded/installed HIJACK THIS because I anticipate having the same experience as this other gentleman. I'll ask this with all the humility I can summon: If neither SPYBOT nor HIJACK THIS can get rid of this Trojan permanently, does this mean I need to completely reinstall my computer?
MISS CHIEVOUS