Link to home
Start Free TrialLog in
Avatar of dave4dl
dave4dl

asked on

surfsidekick AppInit_DLLs

In the registry location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
there is a key called
AppInit_DLLs
with a value of
"repairs303169590.dll"
that i picked up from somewhere as part of the surfsidekick virus

When i change or delete this registry value it immediately changes back to "repairs303169590.dll"

I have tried to delete this file with Unlocker, killbox, deleteReboot, and hijackthis (via the delete on reboot) with no success.  Unlocker fails because the "F:\WINDOWS\system32\repairs303169590.dll" file is locked by the [System Process] process (as well as every other process).  Delete on reboot fails because "AppInit_DLLs" loads before the other boot commands are run.

I have tried writing a dos batch file that continuously loops and merges an empty string to the AppInit_DLLs value and while running it (or several instances of it) cold rebooting or regular rebooting.  None of these things have worked.

Does anyone know how to delete a file like this (or have any ideas about it)?
Avatar of SheharyaarSaahil
SheharyaarSaahil
Flag of United Arab Emirates image

Boot in safemode, login as Administrator and follow the below instructions:
(warning: it needs registry editing, so be careful :)

To remove the registry key called,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.
2. Now delete the AppInit_DLLs key under the Windows2 folder.
3. Hit F5 and notice that AppInit_DLLs doesn't come back.
4. Rename the Windows2 folder back to Windows.

Now that AppInit_DLLs is gone, run the latest Adaware *(and the other tools also)* to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now.
======================================================================================
ref >> http://www.lavasoftsupport.com/index.php?showtopic=32685
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dave4dl
dave4dl

ASKER

SheharyaarSaahil,

Thanks for your suggestion.  I hadn't even thought about using safe mode before.  Unfortunately as soon as i renamed the Windows registry folder to Windows2 a new Windows folder was immediately created with only the value i mentioned in my original post and of course as soon as i delete that folder it is recreated.  I guess that this means that windows loads the dll in AppInit_DLLs even if you are in safe mode.  Windows 98 used to have a startup option where you could be prompted (Y/N) on every startup line but i havent seen anything like that in windows xp.

rpggamergirl,

Thank you for your post, i am going to try it right now and get back to you guys.

> Windows 98 used to have a startup option where you could be prompted (Y/N) on every startup line
that you can get in WinXP system by choosing Safemode with Command Prompt
You need to be able to get to a Command Prompt rather than booting completely into Safe Mode.  Do you have an old Windows 98/2000 boot disk laying around?  If so, boot off the floppy and get to a command prompt.  Once there, browse to the system32 file path and delete the file through DOS.

Once you're there, the command should be:

del repairs303169590.dll
Avatar of dave4dl

ASKER

SheharyaarSaahil,

I did give the safemode with command prompt a shot and it did not ask me about loading each item that automatically starts up.  In fact safe mode with command prompt seems to load a good portion (most) of windows (everything but the taskbar and other display elements).  This meant that the virus in AppInit_DLLs was still loaded and i could not update the registry (at least not permanently update it) and I could not delete the file.

AnthonyP9618,
Your idea sounds like it might work.  Of course it would be a little bit of a bother having to get the pieces in place to see ntfs partitions.  rpggamergirl posted a set of steps that worked (and was easier) first though so the points go to her.

rpggamergirl,
Your solution worked!  Thank goodness for Brute Force Uninstaller.  I wish there was a more accessible way to do this manually.  Having to rely on this program/script to do this makes me feel a bit less in control of my PC.  When i have the time i will delve a bit deeper into BFU so i can figure out what it is doing exactly.  Thank you for posting this solution!

All,

Thank you so much for all your posts and ideas!
>>When i have the time i will delve a bit deeper into BFU so i can figure out what it is doing exactly.  Thank you for posting this solution!<<

No problem, glad to help.
Thanks for the points with an A grade! :)
Kudos to malware expert LonnyRJones who made the sidekickFix.bat and merijn for his BFU.

merijn's BFU(merijn is also the creator of Hijackthis.exe) has been a great help to malware experts in removing malware infections.

If you want to know more about BFU, you can download the documentation from here:
http://www.spywareinfo.com/~merijn/files/BFU.rtf