Jump to content



  • This topic is locked This topic is locked
3 replies to this topic

#1 kcates



  • Full Member
  • Pip
  • 20 posts

Posted 26 June 2004 - 02:01 PM

okay, I figured it out...

Most of the anti-hijacking programs seem to deal with deleting registry entries, but none of those dealt with .dlls except the browser helper object that HijackThis finds. However, after removing that, the intruder always comes back. There must be a way it's loaded at system boot and I thought it was via the startup options that are presented when you run "msconfig". Not so...

The invading dll loads via the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

This causes it to attach to every application at starup.

If there is a dll specified, like c:windows\system32\wini.dll, don't bother looking for it in that folder. As long as the intruder is active, it will hide the filename in any folder or directory listing.

YOU MUST DELETE THE REGISTRY KEY! (even if there is no dll listed in it)

However, if you delete it, the intruder will put it back since it is currently running.

1. in regedit, this key is in the Windows "folder" that you see in the left part of the window. Change the name of this folder to "Windows2".

2. Then delete the AppInit_DLLS key.

3. Then change the name of the folder back to "Windows"

I did all this in safe mode, but I don't know if that is required.

Run the various anti-hijack programs to clean up whatever they find.

Then reboot and run the anti-hijack programs again to be sure.

If you've been having problems running HijackBlaster, you'll see that it runs just fine now. The intruder was smart enough to interfer with it.

I can finally get back to all the things piling up for 3 days... :-)


#2 suebat



  • Full Member
  • Pip
  • 17 posts

Posted 26 June 2004 - 04:46 PM

Thank you Kcates. I followed your directions and after days of trying was finally able to reinstall spywareblaster and it worked. Hopefully I have finally gotten rid of that horrible coolwebsearch! Good on you!! :D
P.S. I didn't delete AppInit_DLLS key in safe mode because I didn't know how to get there but it seems to have worked anyway. I'll let you know if it comes back.

Edited by suebat, 26 June 2004 - 04:47 PM.

#3 JCDenton



  • New Member
  • Pip
  • 4 posts

Posted 26 June 2004 - 05:09 PM

I don't get it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

#4 cashmo



  • New Member
  • Pip
  • 1 posts

Posted 24 November 2004 - 09:15 AM

http://secunia.com/v.../10808/agent.b/ has more info. Try http://securityrespo...er/FxAgentB.exe to remove it.

On the PC I was working on McAfee found it as BackDoor-CFB but couldn't remove it. Stinger never found it.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button