Posted 26 June 2004 - 02:01 PM
Most of the anti-hijacking programs seem to deal with deleting registry entries, but none of those dealt with .dlls except the browser helper object that HijackThis finds. However, after removing that, the intruder always comes back. There must be a way it's loaded at system boot and I thought it was via the startup options that are presented when you run "msconfig". Not so...
The invading dll loads via the registry entry:
This causes it to attach to every application at starup.
If there is a dll specified, like c:windows\system32\wini.dll, don't bother looking for it in that folder. As long as the intruder is active, it will hide the filename in any folder or directory listing.
YOU MUST DELETE THE REGISTRY KEY! (even if there is no dll listed in it)
However, if you delete it, the intruder will put it back since it is currently running.
1. in regedit, this key is in the Windows "folder" that you see in the left part of the window. Change the name of this folder to "Windows2".
2. Then delete the AppInit_DLLS key.
3. Then change the name of the folder back to "Windows"
I did all this in safe mode, but I don't know if that is required.
Run the various anti-hijack programs to clean up whatever they find.
Then reboot and run the anti-hijack programs again to be sure.
If you've been having problems running HijackBlaster, you'll see that it runs just fine now. The intruder was smart enough to interfer with it.
I can finally get back to all the things piling up for 3 days... :-)
Posted 26 June 2004 - 04:46 PM
P.S. I didn't delete AppInit_DLLS key in safe mode because I didn't know how to get there but it seems to have worked anyway. I'll let you know if it comes back.
Edited by suebat, 26 June 2004 - 04:47 PM.
Posted 26 June 2004 - 05:09 PM
Windows Registry Editor Version 5.00
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users