Privacy guaranteed - Your email is not shared with anyone.

New, and nasty malware/spyware

Discussion in 'Computing & Gaming Discussions' started by ShakeDown, Dec 15, 2004.

  1. ShakeDown

    ShakeDown OGF Staff Staff Member Admin

    This sucker is hitting the net harder each day, and there isn't one spyware app that will nuke it yet.

    If you get it, your symptoms will be a maroon banner at the top of your IE screen, that has changing ads. You'll also get a popup every hour or so, trying to hit a site at Here's the only fix that I've found, and it works:

    First edit your HOSTS file. This file is in
    C:\windows\system32\drivers\etc . The HOSTS file has no extension.
    Open it with notepad and add the lines below to the end.
    Make sure there is at least one space (or tab) between the IP address and the domain name. Then save the file. This stops the thing from going to the website.
    Then check at the directory:
    For the dll:
    Remove it!
    Use regedit to search all ocurrences of 'popup_bl' and remove them also, there’s about a dozen of them, depending on the variant of this bastard that you’ve got

    Look for the file systr.dll in your system32 directory. Check the date/time it was created. That's when you were infected. Then just choose a restore point older than that. It's definitely worth a try it may save you from cleaning it manually or, delete all files that were created on the date of infection in your \system32 directory. If you aren’t sure what day that was, check the file dates on system32.exe or systr.dll. In your window go to View/ Arrange Icons by… and then select Modified. Make sure you have the “Details” view selected and that you are showing hidden files. This may take some time and require you to remove the system attribute before you can delete those files (Note: systr.dll can’t be deleted this way). Back them up if you have trust issues but don’t leave them anywhere in your command path. You may want to also do this to your %systemroot% directory, I think I did both but it was a few weeks ago and my memory is quite shoddy.
    Remove all traces of systr.dll from your registry. On my system there was only one and it was under: HKEY_CLASSES_ROOT\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4} so it’s even money that’s it in the same spot for you. But do a search in regedit to be sure. Delete all the keys that reference it.

    Its very important to delete systr.dll from your system 32 directory if not , the bastard will keep bugging you. this malware puts "systr.dll" in use by explorer.exe so you will be unable to delete it easily. I deleted it by right click >delete on systr.dll >then quickly end tasking explorer.exe in less than 3 secs
  2. Hows this one hit us and from where?

    THANKS for the info!!!

  3. ShakeDown

    ShakeDown OGF Staff Staff Member Admin

    I got mine from a web clue which one, but that's what I get for surfing the dark side of the net.
  4. I've caught a few over there too "dark side" but they were east to get rid of this one would've been around for awhile if I ever caught it without your info...
  5. ShakeDown

    ShakeDown OGF Staff Staff Member Admin

    Yeah this one is a royal pain...starting to see it on some workstations at work now :(
  6. WOW !! :eek:

    GOOD LUCK...

    Maybe someone will figure out how to stop it and add that fix to our spyware programs...
  7. We got the word yesterday that there is a nasty one in an email disguised as christmas card. Supposedly, 10% of the net was hit.
  8. ShakeDown

    ShakeDown OGF Staff Staff Member Admin

    Yeah King...I read about that on CNN. I haven't personally seen it, but it sounds like it's spreading fast.
  9. That seems redundant... :confused:
    Simply post the links... ;)
  10. 2talltim

    2talltim Bubby wanna be

    I use Spybot S&D iv thought about buying Spysweeper any one know if is is any better than S&D i v never had any problems i just dont want to start having them
  11. catlover

    catlover Banned

    The reason that I didnt just post the links is that the ones I would suggest are very powerful registry editors. They do what Shake did all by themselves but they can be dangerous, as they change the registry values. You have to be careful, as they can remove files associated with what you are trying to get rid of that are necessary for the system to function. The can be harmful, even to someone who is familiar with them. I dont want the responsibility of turning someones system into a boat anchor.

    If all you are worried about is search bars and spyware, run this along with spybt s&d