Spyware loading on startup...

Discussion in 'Windows Desktop Systems' started by Mike521, Nov 3, 2002.

  1. Mike521

    Mike521 Guest

    Couple questions about some spyware, if someone could help me out it'd be much appreciated..

    OK I had this spyware file called "flt.dll" in Program Files\Flt
    It was running on startup automatically. Normally I am very anal about what runs on startup, and I use MSconfig and uncheck almost everything thats not essential, in the startup and services sections. I also check the registry for startup areas, and of course the start menu startup folder.
    But somehow this file was loading on startup, cause I couldn't delete it without restarting in safe mode and removing it, cause it was in use. So my question is, how was this program loading itself? where did it put a reference to itself in my startup files? I'd like to check this area for other crap that I don't want loading. Any ideas?


    dammit I had another question but now I can't remember it. oh well. can anyone help me with this one?
     
  2. yoyo

    yoyo _________________

    Messages:
    1,557
    "flt.dll" is a BHO (browser helper object). They are located in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    The way to remove this special one (seems you have got the newest version, not yet detected by adaware or spybot) is to open the run dialogue and type in:
    regsvr32 /u "C:\Program Files\flt\flt.dll"
    to unregister it, you can delete the file then.
    There is a little program called BHOdemon which lets you control BHOs.
     
  3. gothic

    gothic LinuXPert

    Messages:
    453
    Location:
    Cornwall Nr. England
    Don't forget you have more than one startup folder! It may have creeped into one of the alternatives.
    Mine for example are
    C:\Documents and Settings\Gothic\Start Menu\Programs\Startup
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    and
    C:\Documents and Settings\Default User\Start Menu\Programs\Startup

    And I have often found nasty little unwanted programmes hiding in the Default users startup folder.
    The same goes for the registry 'Run' areas. Get yourself 'Registry Crawler' from
    http://www.4dev.com and check for ALL instances of Run, RunOnce, RunServices etc. you'd be suprised at how many there are.
     
  4. gothic

    gothic LinuXPert

    Messages:
    453
    Location:
    Cornwall Nr. England
    p.s. must have been replying at the same time....lol
     
  5. yoyo

    yoyo _________________

    Messages:
    1,557
    Such things happen.... that Registry Crawler looks very interesting.
     
  6. gothic

    gothic LinuXPert

    Messages:
    453
    Location:
    Cornwall Nr. England
    'bout the best tool for searching and editing the registry, very fast!!

    TOK
     
  7. yoyo

    yoyo _________________

    Messages:
    1,557
    Indeed, tried it a few minutes ago - 700 search results in no time, regedit would be still busy. You should post it in Dealer's 'great comm. programs..' thread. Very good find.
     
  8. Mike521

    Mike521 Guest

    cool thanks for the tips guys I really appreciate it!

    I don't use spybot but I use ad-aware. Ad-aware DID find the flt.dll file, but it was unable to remove it cause the file was in use.

    I had heard of a way to delete files like that, by killing explorer, deleting it, then restarting explorer, but that sounded like a pain in the ass to me so I didn't bother looking for info on how to do it, I just went into safe mode.
    But that tip about using regserv is great, I didn't know you could do that, I'll keep that in mind for the future.

    So this "browser helper object" is loaded with explorer then? It was causing me to get pop up ads whenever I went to gamefaqs.com, but the popups were blank cause my ad blocker software blanked out the image. The webmaster at gamefaqs.com heard about it and posted that it was advertising porn though. I was just pissed that my pop-up blocker wasn't stopping it.

    Anyway thanks again for the advice, and I'll definitely check out those programs you guys listed, I'm getting sick of manually running through regedit for all this stuff.


    Oh one other question I had--howcome I couldn't see this thing in my process viewer? was it just a thread inside IE, and therefore not specifically listed there?